b'      2011 Annual FISMA Executive\n      Summary Report\n\n\n\n\n                                                                                   February 2, 2012\n                                                                                   Report No. 501\n          2011 FISMA Executive Summary Report                                January 13, 2012\nAssessment ant dNo.R501\n        Repor       eview Conducted by Networking Institute of Technology, Inc.\n                                             Page 1\n                                 REDACTED PUBLIC VERSION\n                                                DRAFT\n\x0c                                              UNITED STATES\n                            SECUF1ITIES AND E XCHANGE COMMISSION\n                                        WASHI N GTO ,. , D . C .   2.0~49\n\n\n\n\n                                      MEMORA ND U M\n                                              February 2, 2012\n\n           To:           Thomas Bayer, Chief Information Officer, Office of Info rmation\n                                                               \\-iii1-\n\n                        ~\n                             e\'h"OIO \xc2\xa5             ~\n           From:            elle      ney,   cling Inspector Genclral, Office of Inspector\n                           Gen     I (OIG)\n\n           Su bject:     2011 Annual FISMA Executive Summary Repett. Report 501\n\n           This memorandum transmits the U,S. Securities and Exchange Commission ,\n           OIG\'s fi nal report detailing the results on our 20 11 Federal Information Security\n           Management Act of 2002 review\n\n           The fina l report contains 13 recomme ndations whicl\xe2\x80\xa2. it fully implemented. should\n           strengthen the SEC\'s controls over information secur,ty. The Office of\n           Info rmati on Technology (OIT) concurred with all 01 the report recommendations,\n           OIT\'s written response to the report is included in the appendices,\n\n           Within the next 45 days. please provide the OIG with a written corrective action\n           plan that is designed to address the report\'s agreed.upon recommendations.\n           The corrective action plan should include information such as the respons ible\n           official/point of contact, timeframes for completing reqlJired actions, and\n           milestones identifying how you Will address eijch reccmmendation .\n\n           Should you have any questions regarding this repon. ;:.Iease do not hesitate to\n           contact me or Jacqueline W ilson , Assistant Inspectc: General for Audits. at ext.\n           1\xc2\xb76326. We appreciate the courtesy and cooperation that you and your staff\n           extended to our staff and contractors duri ng this revi8w.\n\n           Attachment\n\n           cc:     James R Burns, Deputy Chief of Staff, Office c f the Chairman\n                   luis A. Aguilar, Commissioner\n                   Troy A. Paredes. Commissioner\n                   Elisse B, Walter, Commissioner\n                   Daniet Gallag her, Commissioner\n                   Jeff Heslop. Chief Operating Officer, Office of Chief of Operations\n                   Todd Scharf. Chief Information Security Officer, Office of Information\n                     Technology\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                                   February 2, 2012\nReport No. 501\n                                       Page ii\n                               REDACTED PUBLIC VERSION\n\x0c                        2011 Annual FISMA\n                     Executive Summary Report\n\n                                    Executive Summary\nIn June 2011, the U.S. Securities and Exchange Commission (SEC or\nCommission) Office of Inspector General (OIG) contracted with Networking\nInstitute of Technology, Inc. (NIT) to assist with the completion and coordination\nof the OIG\xe2\x80\x99s response to Office of Management and Budget (OMB)\nMemorandum M-11-33, FY 2011 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management Act\n(OMB M-11-33). 1 This memorandum provides instructions for meeting the fiscal\nyear 2011 reporting requirements under the Federal Information Security\nManagement Act of 2002 (FISMA). 2\n\nNIT began work on this project in June 2011. NIT\xe2\x80\x99s task included reviewing and\nevaluating the major components for FISMA 2011 in order to provide its\nrecommended responses to OMB through Cyberscope (OMB\xe2\x80\x99s online FISMA\nreporting system). Further, NIT\xe2\x80\x99s task was to compile an Executive Summary\nReport that communicates the Inspector General\xe2\x80\x99s response to the fiscal year\n2011 FISMA submission. NIT\xe2\x80\x99s review process included interviewing key SEC\nOffice of Information Technology (OIT) personnel, and examining policies,\nprocedures and other related documentation. Based on NIT\xe2\x80\x99s evaluation and\nrecommendations, the OIG submitted its responses to the fiscal year 2011\nFISMA submission. In addition, during the course of the review, NIT identified\nthe following areas requiring improvement: OIT policies and procedures are\noutdated or nonexistent; OIT risk assessment policy does not address risk from a\nmission and business process perspective or the SEC\xe2\x80\x99s overall organizational\nrisk strategy; a tailored set of baseline security controls has not been formally\ndefined and control sets have not been tailored for the specific systems; OIT has\nnot conducted configuration compliance scans and has no defined process for\nremediating compliance scan results in a timely manner; and multi-factor\nauthentication for system access has not been linked to the Commission\xe2\x80\x99s\nPersonal Identity Verification (PIV) Program.\n\nBackground. FISMA was enacted in 2002 as Title III of the E-Government Act\nof 2002. The purpose of this law is to recognize the importance of information\nsecurity to the economic and national security interests of the United States. The\nlaw emphasizes the need for organizations to develop, document, and implement\n\n1\n  OMB, Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Privacy Management Act (Sept. 14, 2011),\nhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf.\n2\n  Title III, Pub. L. No. 107-347, http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.\n2011 Annual FISMA Executive Summary Report                                                February 2, 2012\nReport No. 501\n                                       Page iii\n                               REDACTED PUBLIC VERSION\n\x0corganization-wide programs that provide security for the information systems that\nsupport the organization\xe2\x80\x99s operations and assets, as well as information systems\nthat are provided or managed by other agencies, contractors, or other sources.\nFISMA provides the framework for securing the federal government\xe2\x80\x99s information\ntechnology and requires agency program officials, chief information officers\n(CIO), privacy officers, and inspectors general to conduct annual reviews of the\nagency\xe2\x80\x99s information security and privacy programs and report the results to\nOMB. For fiscal year 2011, OMB M-11-33 provides instructions to heads of\nexecutive departments and agencies for meeting the fiscal year 2011 reporting\nrequirements. OMB uses the information collected from the executive\ndepartments and agencies to:\n\n     (1)     help evaluate agency-specific and government-wide information\n             security and privacy program performance,\n     (2)     develop its annual security report to Congress,\n     (3)     assist in improving and maintaining adequate agency\n             performance, and\n     (4)     assist in developing the E-Government Scorecard under the\n             President\xe2\x80\x99s Management Agenda.\n\nOver the last year, OIT experienced major changes in its leadership, including a\nnew CIO appointed in October 2010, a major reorganization, changes in senior\nOIT staff, and a new contractor brought in to oversee the SEC\xe2\x80\x99s daily OIT\nfunction. 3\n\nObjectives. The overall objective of the 2011 FISMA assessment was to assess\nthe SEC\xe2\x80\x99s systems and provide the OIG with input to the Commission\xe2\x80\x99s response\nto OMB M-11-33. The assessment included a review of the Commission\xe2\x80\x99s\ninformation security posture, as required annually by FISMA. The 2011 FISMA\nassessment included the following mandated security requirements:\n\n    \xe2\x80\xa2   risk management\n    \xe2\x80\xa2   configuration management\n    \xe2\x80\xa2   incident response and reporting\n    \xe2\x80\xa2   security training\n    \xe2\x80\xa2   evaluation of agency plan of action and milestones process\n    \xe2\x80\xa2   remote access management\n    \xe2\x80\xa2   identity and access management\n    \xe2\x80\xa2   continuous monitoring management\n    \xe2\x80\xa2   contingency planning\n    \xe2\x80\xa2   agency oversight of contractor systems\n    \xe2\x80\xa2   security capital planning\n\n3\n The contractor is responsible for providing support services, including server and managed network\nservices, end user computing, service desk, and pre-production services to OIT.\n2011 Annual FISMA Executive Summary Report                                                February 2, 2012\nReport No. 501\n                                       Page iv\n                               REDACTED PUBLIC VERSION\n\x0cResults. The key findings and results for the 2011 FISMA assessment are as\nfollows:\n\n    \xe2\x80\xa2   OIT has formally documented information technology (IT) policies\n        and procedures for the following FISMA controls: risk\n        management, configuration management, incident response and\n        reporting, security training, plan of action and milestones, remote\n        access management, identity and access management, and\n        contingency planning. Although OIT has documented the policies\n        and procedures for the areas previously identified and the policies\n        and procedures are centrally located, the policies and procedures\n        are not updated based on the agency-defined frequency of three\n        years as noted in OIT\xe2\x80\x99s IT Security Compliance Program Policy 4 or\n        based on the individual policy\xe2\x80\x99s or procedure\xe2\x80\x99s defined frequency\n        as specified in the policy or procedure. Additionally, OIT does not\n        have documented procedures for risk management. Further, NIT\n        found that OIT does not have documented policies or procedures\n        for continuous monitoring management or for contractor systems.\n\n    \xe2\x80\xa2   The SEC has established and is maintaining a risk management\n        program that is generally in compliance with the applicable\n        regulatory and statutory requirements. However, the current risk\n        management policy does not address risk from an organizational\n        (overall) perspective or a mission and business process\n        perspective. Additionally, a tailored set of baseline security controls\n        is not formally defined for each system.\n\n    \xe2\x80\xa2   The SEC has established and is maintaining a configuration\n        management program that is generally in compliance with FISMA\n        requirements, OMB policy, and National Institute of Standards and\n        Technology (NIST) guidelines. However, OIT has not updated the\n        policies and procedures for configuration management. Further,\n        OIT has not updated the baseline for conducting configuration\n        compliance scans to ensure that configurations are in compliance\n        with defined baseline configurations for major IT devices. Due to\n        the lack of an updated defined baseline configuration template, OIT\n        has not conducted configuration compliance scans.\n\n    \xe2\x80\xa2   OIT has established and is maintaining an incident response and\n        reporting program that is capable of detecting, responding to, and\n        reporting incidents. Further, the SEC responds to and resolves\n        incidents in a timely manner, is capable of tracking and managing\n        risks, and is capable of correlating incidents.\n4\n Operating Directive, IT Security Compliance Program, Policy Number OD24-04-10 (June 9, 2011), p. 7,\nsection 5, No.12.\n2011 Annual FISMA Executive Summary Report                                           February 2, 2012\nReport No. 501\n                                      Page v\n                              REDACTED PUBLIC VERSION\n\x0c     \xe2\x80\xa2   Security training is provided to SEC personnel, including\n         employees, contractors, and other agency users. In addition, the\n         Commission has specialized training modules based on IT security\n         roles and responsibilities.\n\n     \xe2\x80\xa2   OIT is effectively tracking, prioritizing, and remediating weaknesses\n         across the various systems, in accordance with the remediation\n         dates stated in its Plan of Action and Milestones documentation.\n\n     \xe2\x80\xa2   The SEC has established and is maintaining a remote access\n         program for authorizing, monitoring, and controlling the following\n         methods of remote access:\n\n                                               The Commission\xe2\x80\x99s remote\n         access infrastructure is located in a secure demilitarized zone. 9\n         Users must first be authenticated for remote access.\n\n     \xe2\x80\xa2   OIT has established and is maintaining an identity and access\n         management program that is generally consistent with FISMA\n         requirements, OMB policy, and applicable NIST guidelines and\n         identifies users and network devices. However, the SEC does not\n         use multi-factor authentication that is linked to a PIV card, as\n         required by Homeland Security Presidential Directive-12 (HSPD-\n         12) 10 and in accordance with NIST recommendations.\n\n     \xe2\x80\xa2   The SEC has established and is maintaining an enterprise-wide\n         continuous monitoring program that assesses the security state of\n         information systems to include vulnerability scanning, patch\n         management, and ongoing assessment of security controls.\n\n     \xe2\x80\xa2   The SEC has established and is maintaining an enterprise-wide\n         business continuity/disaster recovery program that is generally\n         consistent with the applicable regulatory and statutory\n         requirements. Disaster recovery plans are in place and can be\n         implemented when necessary. Further, OIT performs annual\n         contingency plan testing for major applications.\n\n\n\n                                                                        is a\n                                                   such as               o provide\n\n\n\n\n A demilitarized zone is a firewall configuration that adds an extra layer of security for information systems.\n10\n  Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal\nEmployees and Contractors (July 1, 2011), http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm.\n2011 Annual FISMA Executive Summary Report                                                      February 2, 2012\nReport No. 501\n                                         Page vi\n                                 REDACTED PUBLIC VERSION\n\x0c   \xe2\x80\xa2   The SEC has established and is generally maintaining a program to\n       oversee systems operated on its behalf by contractors or other\n       entities, including agency systems and services residing in the\n       public cloud. Further, OIT consistently ensures that security\n       controls of contractor systems are effectively implemented and\n       comply with federal and agency guidelines.\n\n   \xe2\x80\xa2   A security capital and planning program for information security has\n       been established and is maintained at the SEC.\n\nSummary of Recommendations. The report contains the following 13\nrecommendations:\n\n       (1)   OIT should develop and implement a detailed plan to review\n             and update OIT security policies and procedures and to create\n             OIT security policies and procedures for areas that lack formal\n             policies and procedures.\n\n       (2)   OIT should develop a comprehensive risk management\n             strategy in accordance with National Institute of Standards and\n             Technology, Guide for Applying the Risk Management\n             Framework to Federal Information Systems: A Security Life\n             Cycle Approach, that will ensure management of system-\n             related security risks is consistent with the Commission\xe2\x80\x99s\n             mission/business objectives and overall risk strategy.\n\n       (3)   OIT should update its current risk management policy to\n             include language regarding developing a comprehensive\n             governance structure and ensure management of system-\n             related security risks is consistent with the Commission\xe2\x80\x99s\n             mission/business objectives and overall risk strategy.\n\n       (4)   OIT should develop and implement a formal risk management\n             procedure that identifies an acceptable process for evaluating\n             system risk and is consistent with the Commission\xe2\x80\x99s\n             mission/business objectives and overall risk strategy.\n\n       (5)   OIT should develop and implement formal policy that\n             addresses tailoring baseline security control sets.\n\n       (6)   OIT should determine whether it should perform the tailoring\n             process at the organization level for all information systems\n             (either as the required tailored baseline or as the starting point\n             for system-specific tailoring), at the individual information\n\n\n2011 Annual FISMA Executive Summary Report                               February 2, 2012\nReport No. 501\n                                    Page vii\n                            REDACTED PUBLIC VERSION\n\x0c             system level, or using a combination of organization-level and\n             system-specific approaches.\n\n       (7)   OIT should tailor a baseline security controls set (with\n             rationale) for applicable systems in accordance with the\n             guidance provided by National Institute of Standards and\n             Technology, Guide for Applying the Risk Management\n             Framework to Federal Information Systems: A Security Life\n             Cycle Approach, and National Institute of Standards and\n             Technology, Recommended Security Controls for Federal\n             Information Systems and Organizations.\n\n       (8)   OIT should review and update its configuration management\n             policy to ensure that it complies with the requirements of the\n             Federal Information Security Management Act and with the\n             guidelines specified in National Institute of Standards and\n             Technology, Recommended Security Controls for Federal\n             Information Systems and Organizations, as well as with its\n             internal requirements.\n\n       (9)   OIT should review and document its current standard baseline\n             configuration, including identification of approved deviations\n             and exceptions to the standard.\n\n     (10)    OIT should conduct compliance scans of its information\n             technology devices, according to the organizationally defined\n             frequency in the policy and procedures, to ensure that all\n             devices are configured as required by OIT\xe2\x80\x99s configuration\n             management policy and procedures.\n\n     (11)    OIT should update its policy and include language indicating\n             that deviations from the baseline configurations that are\n             identified and documented as a result of the configuration\n             compliance scans are properly remediated in a timely manner.\n\n     (12)    OIT should provide a new date to the Office of Management\n             and Budget for implementing the technical solution for linking\n             multi-factor authentication to the Personal Identity Verification\n             (PIV) cards for system authentication.\n\n     (13)    OIT should complete its implementation of the technical\n             solution for linking multi-factor authentication to PIV cards for\n             system authentication and require use of the PIV cards as a\n             second authentication factor by December 2012.\n\n\n2011 Annual FISMA Executive Summary Report                               February 2, 2012\nReport No. 501\n                                    Page viii\n                            REDACTED PUBLIC VERSION\n\x0cThe full version of this report includes information that the SEC considers to be\nsensitive or proprietary. To create this public version of the report, the OIG\nredacted (blacked out) potentially sensitive, proprietary information from the\nreport.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                            February 2, 2012\nReport No. 501\n                                    Page ix\n                            REDACTED PUBLIC VERSION\n\x0cTABLE OF CONTENTS\nExecutive Summary ................................................................................................iii\n\nTable of Contents .................................................................................................... x\n\nBackground and Objectives\n     Background ....................................................................................................... 1\n     Objectives .......................................................................................................... 2\n\nFindings and Recommendations\n     Finding 1: OIT\xe2\x80\x99s FISMA Policies and Procedures Are Outdated or\n     Nonexistent ........................................................................................................ 3\n                   Recommendation 1....................................................................... 5\n\n         Finding 2: OIT\xe2\x80\x99s Risk Management Policy Is Not Addressed From Mission\n         and Business Process Perspectives and Overall Commission Risk\n         Strategies ........................................................................................................... 5\n                         Recommendation 2....................................................................... 8\n                         Recommendation 3....................................................................... 8\n                         Recommendation 4....................................................................... 9\n\n         Finding 3: OIT Has Not Formally Defined a Tailored Set of Baseline\n         Security Controls and Has Not Tailored Control Sets for Specific Systems\n         ........................................................................................................................... 9\n                              Recommendation 5..................................................................... 12\n                              Recommendation 6..................................................................... 12\n                              Recommendation 7..................................................................... 12\n\n         Finding 4: OIT Has Not Conducted Configuration Compliance Scans and\n         Needs a Defined Process to Address Compliance Scan Results in a\n         Timely Manner ................................................................................................. 13\n                      Recommendation 8..................................................................... 15\n                      Recommendation 9..................................................................... 15\n                      Recommendation 10................................................................... 15\n                      Recommendation 11................................................................... 16\n\n         Finding 5: Multi-Factor Authentication for System Access Has Not Been\n         Linked to the SEC\xe2\x80\x99s Personal Identity Verification Program ............................. 16\n                       Recommendation 12................................................................... 19\n                       Recommendation 13................................................................... 19\n\nTables\n     Table 1: SEC Systems and Date Accessed. ................................................... 11\n     Table 2: OIG Response to Question 1 From OMB Questionnaire................... 33\n2011 Annual FISMA Executive Summary Report                                                               February 2, 2012\nReport No. 501\n                                            Page x\n                                    REDACTED PUBLIC VERSION\n\x0c        Table 3: OIG Response to Question 2 From OMB Questionnaire................... 36\n        Table 4: OIG Response to Question 3 From OMB Questionnaire................... 38\n        Table 5: OIG Response to Question 4 From OMB Questionnaire................... 40\n        Table 6: OIG Response to Question 5 From OMB Questionnaire .................. 42\n        Table 7: OIG Response to Question 6 From OMB Questionnaire .................. 44\n        Table 8: OIG Response to Question 7 From OMB Questionnaire................... 46\n        Table 9: OIG Response to Question 8 From OMB Questionnaire................... 48\n        Table 10: OIG Response to Question 9 From OMB Questionnaire................. 50\n        Table 11: OIG Response to Question 10 From OMB Questionnaire............... 52\n        Table 12: OIG Response to Question 11 From OMB Questionnaire............... 54\n        Table 13: OIT Policies and Procedures and Date of Last Update ................... 55\n\nAppendices\n    Appendix I: Abbreviations................................................................................ 21\n    Appendix II: Scope and Methodology .............................................................. 22\n    Appendix III: Criteria and Guidance ................................................................ 25\n    Appendix IV: List of Recommendations .......................................................... 27\n    Appendix V: OIG\xe2\x80\x99s Response to the OMB Questionnaire ............................... 30\n    Appendix VI: OIT Policies and Procedures Past Due for Updates .................. 55\n    Appendix VII: Management Comments........................................................... 59\n    Appendix VIII: OIG Response to Management\xe2\x80\x99s Comments........................... 64\n\nFigures\n     Figure 1: Risk Management Framework ........................................................... 6\n     Figure 2: Security Control Selection Process .................................................. 11\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                              February 2, 2012\nReport No. 501\n                                       Page xi\n                               REDACTED PUBLIC VERSION\n\x0c                    Background and Objectives\n\nBackground\nIn June 2011, the U.S. Securities and Exchange Commission (SEC or\nCommission) Office of Inspector General (OIG) contracted with Networking\nInstitute of Technology, Inc. (NIT) to assist with completing and coordinating the\nOIG\xe2\x80\x99s response to Office of Management and Budget (OMB) Memorandum M-\n11-33, FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management (OMB M-11-33). 11\n\nThe Federal Information Security Management Act of 2002 (FISMA)12 provides\nthe framework for securing the federal government\xe2\x80\x99s information technology (IT).\nFISMA emphasizes the need for organizations to develop, document, and\nimplement an organization-wide program to provide security for the information\nsystems that support its operations and assets. All agencies must implement the\nrequirements of FISMA and report annually to OMB, using OMB-issued reporting\ninstructions, on the effectiveness of their information security and privacy\nprograms. OMB uses the information to help evaluate agency-specific and\ngovernment-wide information security and privacy program performance, develop\nits annual security report to Congress, help improve and maintain adequate\nagency performance, and develop the E-Government Scorecard under the\nPresident\xe2\x80\x99s Management Agenda.\n\nOMB M-11-33 provides instructions to heads of executive departments and\nagencies for meeting the fiscal year 2011 reporting requirements. It also requires\nInspectors General to independently evaluate and report how their department\xe2\x80\x99s\nor agency\xe2\x80\x99s chief information officer (CIO), senior agency official for privacy, and\nprogram officials implemented information security requirements related to risk\nmanagement, configuration management, incident response and reporting,\nsecurity training, plan of action and milestones, remote access management,\nidentity and access management, continuous monitoring management,\ncontingency planning, oversight of contractor systems, and security capital\nplanning.\n\nNIT began work on this project in June 2011. NIT reviewed and evaluated the\nCommission\xe2\x80\x99s implementation of information security requirements and provided\nthe OIG the results of its assessment and its recommended responses for\nsubmission to OMB through Cyberscope (OMB\xe2\x80\x99s online FISMA reporting system)\nand for compiling this report. NIT\xe2\x80\x99s responses are based on information provided\n11\n   OMB, Memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security\nManagement Act and Privacy Management (Sept. 14, 2011),\nhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf.\n12\n   Title III, Pub. L. No. 107-347, http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.\n2011 Annual FISMA Executive Summary Report                                                 February 2, 2012\nReport No. 501\n                                        Page 1\n                                REDACTED PUBLIC VERSION\n\x0cby Commission staff and obtained through interviews and review of\ndocumentation. Using NIT\xe2\x80\x99s assessment and recommendations, the OIG has\nsubmitted its responses to the 2011 FISMA questionnaire through Cyberscope to\nOMB.\n\nObjectives\nThe overall objective of the 2011 FISMA assessment was to review the SEC\xe2\x80\x99s\nsystems and provide the OIG with input to the Commission\xe2\x80\x99s response to OMB\nM-11-33. The assessment included a review of the Commission\xe2\x80\x99s information\nsecurity posture, as required annually by FISMA. The 2011 FISMA assessment\naddressed the following security requirements:\n\n   \xe2\x80\xa2   risk management\n   \xe2\x80\xa2   configuration management\n   \xe2\x80\xa2   incident response and reporting\n   \xe2\x80\xa2   security training\n   \xe2\x80\xa2   evaluation of agency plan of action and milestones process\n   \xe2\x80\xa2   remote access management\n   \xe2\x80\xa2   identity and access management\n   \xe2\x80\xa2   continuous monitoring management\n   \xe2\x80\xa2   contingency planning\n   \xe2\x80\xa2   agency oversight of contractor systems\n   \xe2\x80\xa2   security capital planning\n\n\n\n\n2011 Annual FISMA Executive Summary Report                          February 2, 2012\nReport No. 501\n                                    Page 2\n                            REDACTED PUBLIC VERSION\n\x0c                  Findings and Recommendations\n\n\nFinding 1: OIT\xe2\x80\x99s FISMA Policies and\nProcedures Are Outdated or Nonexistent\n           OIT\xe2\x80\x99s documented FISMA policies and procedures are\n           outdated. In addition, OIT lacks documented procedures for\n           risk management, continuous monitoring management, and\n           information security oversight over systems operated by\n           SEC contractors and other entities.\n\nNIT found that OIT has formally documented IT policies and procedures for the\nfollowing FISMA control areas: risk management, configuration management,\nincident response and reporting, security training, plan of action and milestones\n(POA&M), remote access management, identity and access management, and\ncontingency planning. These policies are centrally accessible via the SEC\xe2\x80\x99s\nIntranet site, in OIT\xe2\x80\x99s policy library. 13\n\nNIT found, however, that these policies and procedures have not been reviewed\nand updated either within the timeframe specified in the policy or procedure itself\nor in accordance with the requirements of Operating Directive\n                                   which states that OIT policies and procedures\nare to be evaluated every three years. In addition, OIT did not maintain the\npolicies and procedures consistent with the recommendations of the National\nInstitute of Standards and Technology (NIST), as set forth in NIST Special\nPublication 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations (NIST SP 800-53). 15 According to NIST SP 800-53,\nan organization should develop, disseminate, and review/update, as frequently\nas organization policy specifies, the following:\n\n           a) A formal, documented policy that addresses purpose, scope,\n              roles, responsibilities, management commitment, coordination\n              among organizational entities, and compliance;\n\n\n\n\n13\n     OIT Policy Library,\n14\n     Operating Directive,\n\n   NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems and\nOrganization, (August 2009), http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                 February 2, 2012\nReport No. 501\n                                        Page 3\n                                REDACTED PUBLIC VERSION\n\x0c        b) Formal, documented procedures to facilitate the implementation\n           of the [ ] policy and associated [ ] controls. 16\n\nAs a consequence, staff may use inconsistent, informal, undocumented policies\nand procedures.\n\nAdditionally, NIT found that OIT does not have documented procedures for risk\nmanagement or documented policies or procedures for continuous monitoring\nmanagement or information security oversight of systems operated on the\nCommission\xe2\x80\x99s behalf by contractors or other entities (commonly referred to as\ncontractor systems).\n\nOur review of OIT\xe2\x80\x99s policy library found 45 OIT policies and procedures that were\npast due for updating. Of these, 24 are required to be updated annually, as\nspecified in the policy or procedure, but 2 are eight years overdue for updates, 1\nis seven years overdue for update, 7 are five years overdue for updates, 9 are\nfour years overdue for updates, 4 are three years overdue for updates, and 1 is\ntwo years overdue for an update. The other 21 policies and procedures are\nrequired to be updated every three years in accordance with the IT Security\nCompliance Program policy, but 3 are six years overdue for updates, 7 are three\nyears overdue for updates, 10 are two years overdue for updates, and 1 is one\nyear overdue for an update. Appendix VI lists the specific OIT policies and\nprocedures past due for updates.\n\nOIT acknowledges that a significant number of OIT policies and procedures have\nnot been reviewed and updated in accordance with the organization-defined\nfrequency or the frequency specified in the individual policy or procedure. OIT\nhas recently purchased a software tool, Archer, to help it manage and develop\nOIT policies and procedures. Archer centrally manages policies and procedures,\nmaps them to objectives, and uses built-in alert notifications for reviewing policies\nand procedures.\n\nBased on interviews with OIT staff and a review of the policies and procedures,\nNIT found that there is a lack of oversight to ensure that policy and procedure\nreviews and updates are conducted in accordance with the organization-defined\nfrequencies.\n\nBecause OIT policies and procedures are not updated with the required\nfrequency, OIT staff has not received adequate guidance to implement current\nNIST guidance and fulfill management\xe2\x80\x99s expectations for implementing controls\n\n\n16\n   NIST SP 800-53, Rev. 3, p. F-92, Risk Assessment, p. F-38, Configuration Management, p. F-61, Incident\nResponse, p. F-21, Awareness and Training, p. F-32, Security Assessment and Authorization, p. F-3,\nAccess Control, p. F-47, Contingency Planning, p. F-54, Identification and Authentication,\nhttp//csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                 February 2, 2012\nReport No. 501\n                                        Page 4\n                                REDACTED PUBLIC VERSION\n\x0cthroughout the Commission. In addition, OIT staff may apply inconsistent,\ninformal, undocumented policies and procedures within the IT environment.\n\n          Recommendation 1:\n\n          The Office of Information Technology (OIT) should develop and implement\n          a detailed plan to review and update OIT security policies and procedures\n          and to create OIT security policies and procedures for areas that lack\n          formal policy and procedures.\n\n          Management Comments. OIT concurred with this recommendation.\n          See Appendix VII for management\xe2\x80\x99s full comments.\n\n          OIG Analysis. We are pleased that OIT concurred with this\n          recommendation.\n\n\nFinding 2: OIT\xe2\x80\x99s Risk Management Policy Is\nNot Addressed From Mission and Business\nProcess Perspectives or the Commission\xe2\x80\x99s\nOverall Strategy\n          OIT\xe2\x80\x99s risk management policy does not adhere to the\n          requirements for a comprehensive governance structure and\n          organizational overall risk management strategy. Further, it\n          does not address risk from a mission and business process\n          perspective, as described in NIST guidelines. As a result of\n          not updating its risk management policy, OIT has not\n          developed a comprehensive strategy to manage risk at the\n          organizational or the mission and business process levels.\n\nNIT found that OIT has a formally documented risk management policy\xe2\x80\x94\n                                                                       17\nImplementing Instruction (II)                                            \xe2\x80\x94which is\naccessible through the SEC\xe2\x80\x99s Intranet site in the OIT policy library and includes\nthe roles and responsibilities of participants. NIT found that the policy has not\nbeen updated since 2005 and that it does not include formal risk management\nprocedures that identify an acceptable process for evaluating risk at the\norganization and the mission and business process levels, as described in NIST\nSpecial Publication 800-37, Guide for Applying the Risk Management Framework\nto Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-\n37), released in February 2010. Specifically, the OIT risk management policy\n\n17\n     II\n\n2011 Annual FISMA Executive Summary Report                               February 2, 2012\nReport No. 501\n                                    Page 5\n                            REDACTED PUBLIC VERSION\n\x0cdoes not include the required comprehensive governance structure and\norganization-wide risk management strategy.\n\nNIST SP 800-37 states the following:\n\n          The guidelines have been developed to ensure that\n          managing information system-related security risks is\n          consistent with the organization\xe2\x80\x99s mission/business\n          objectives and overall risk strategy established by the senior\n          leadership through the risk executive (function). 18\n\nAdditionally, OIT\xe2\x80\x99s risk management policy does not use the three-tiered\napproach to risk management, referred to as the Risk Management Framework\n(RMF), as illustrated in figure 1, below. 19\n\n     Figure 1: Risk Management Framework\n\n\n\n\n     Source: NIST SP 800-37.\n\nTier 1 addresses risk from an organizational perspective through development of\na comprehensive governance structure and organization-wide risk management\nstrategy. Tier 2 addresses risk from a mission and business process\nperspective, and its activities are closely associated with enterprise architecture\nand are guided by Tier 1 risk decisions. Tier 3 addresses risk from an\ninformation system perspective and is guided by Tier 1 and Tier 2 risk\n\n18\n   NIST Special Publication 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal\nInformation Systems: A Security Life Cycle Approach (February 2010), p. 2, section 1.1, Purpose and\nApplicability, http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.\n19\n   NIST SP 800-37, Rev. 1, p. 5, section 2.1, Integrated Organization-Wide Risk Management,\nhttp://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.\n2011 Annual FISMA Executive Summary Report                                                     February 2, 2012\nReport No. 501\n                                         Page 6\n                                 REDACTED PUBLIC VERSION\n\x0cdecisions. 20 Currently, OIT is only addressing risk at the information system\nlevel.\n\nBased on interviews with staff in the SEC\xe2\x80\x99s Office of Risk Management (ORM)\nand NIT\xe2\x80\x99s review of the OIT risk management policy, NIT has concluded that\nORM is responsible for establishing and implementing standards to manage\nintegrated risk management and operational readiness across the organization.\nORM has developed a five-level maturity model to define the roadmap to\nadvanced operational risk management within the SEC. The five levels are\nFunctional Level 1, Coordinated Level 2, Standardized Level 3, Integrated Level\n4, and Optimized Level 5.\n\nFunctional Level 1 is embedded in functional business units and divisions, relies\non the initiative of key people, and focuses on financial and hazard risks. Risk\nmanagement is not well understood at this level. At Coordinated Level 2,\nfunctional departments coordinate on high-profile risk, and risk management is\ndriven by external compliance requirements. Standardized Level 3 focuses on\nmanagement processes and controls. Risk processes are standardized in an\nenterprise framework communicated to staff. Integrated Level 4 includes a\ncomprehensive risk agenda. At Optimized Level 5, formal ORM processes are\nembedded in strategic planning and risk management. 21\n\nORM is currently working with OIT on Coordinated Level 2 of the roadmap, which\nincorporates the organizational level, mission and business level, and information\nsystems level. Coordinated Level 2 addresses the following:\n\n     \xe2\x80\xa2   Functional departments to coordinate on high-profile risk\n     \xe2\x80\xa2   Formally documented controls\n     \xe2\x80\xa2   Risk management driven by external compliance requirements\n     \xe2\x80\xa2   Policies and procedures established by business units\n\nBased on interviews with OIT, NIT found that OIT has begun working with ORM\nto develop a comprehensive risk management strategy in accordance with NIST\nSP 800-37, Rev 1. 22 OIT is currently conducting risk assessments at the\ninformation system level in compliance with the archived version of NIST 800-37,\nGuide for the Security Certification and Accreditation of Federal Information\nSystems, 23 and is also in compliance with NIST Special Publication 800-30, Risk\nManagement Guide for Information Technology Systems, released in July\n20\n    NIST SP 800-37, Rev. 1, p. 5, section 2.1, Integrated Organization-Wide Risk Management,\nhttp://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.\n21\n    The definitions for the five risk levels are found in the SEC Office of Risk Management Office Stand Up\nfile, dated September 8, 2011, p. 3.\n22\n    NIST SP 800-37, Rev 1, Guide for Applying the Risk Management Framework to Federal Information\nSystems: A Security Life Cycle Approach (February 2010), http://csrc.nist.gov/publications/nistpubs/800-37-\nrev1/sp800-37-rev1-final.pdf.\n23\n    NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems\n(May 2004), http://csrc.nist.gov/publications/PubsSPArch.html.\n2011 Annual FISMA Executive Summary Report                                                    February 2, 2012\nReport No. 501\n                                         Page 7\n                                 REDACTED PUBLIC VERSION\n\x0c2002. 24 NIT did not compare OIG\xe2\x80\x99s risk management strategy against NIST SP\n800-30, Rev. 1, Draft Guide for Conducting Risk Assessments, 25 because this\nNIST document has not been issued in final form.\n\nBecause it has not updated its risk assessment policy to address the RMF\nspecified in NIST SP 800-37, the SEC has not developed a comprehensive\nstrategy to manage risk at the organization level, the mission and business level,\nand the information system level. OIT is currently assessing risk only at the\ninformation system level and is not taking into consideration the impact of the\ncumulative information system risks that can be rolled up to the mission and\nbusiness level and the organization level.\n\n        Recommendation 2:\n\n        The Office of Information Technology should develop a comprehensive\n        risk management strategy in accordance with National Institute of\n        Standards and Technology, Guide for Applying the Risk Management\n        Framework to Federal Information Systems: A Security Life Cycle\n        Approach, that will ensure management of system-related security risks is\n        consistent with the Commission\xe2\x80\x99s mission/business objectives and overall\n        risk strategy.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n        Recommendation 3:\n\n        The Office of Information Technology should update its risk management\n        policy to include language regarding developing a comprehensive\n        governance structure and ensure management of system-related security\n        risks is consistent with the Commission\xe2\x80\x99s mission/business objectives and\n        overall risk strategy.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n24\n   NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002),\nhttp://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.\n25\n   NIST SP 800-30, Rev 1, Draft Guide for Conducting Risk Assessments (Sept. 19, 2011),\nhttp://csrc.nist.gov/publications/PubsDrafts.html#SP-800-30-Rev.%201.\n2011 Annual FISMA Executive Summary Report                                              February 2, 2012\nReport No. 501\n                                       Page 8\n                               REDACTED PUBLIC VERSION\n\x0c        Recommendation 4:\n\n        The Office of Information Technology should develop and implement a\n        formal risk management procedure that identifies an acceptable process\n        for evaluating system risk and is consistent with the Commission\xe2\x80\x99s\n        mission/business objectives and overall risk strategy.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\nFinding 3: OIT Has Not Formally Defined a\nTailored Set of Baseline Security Controls\nand Has Not Tailored Control Sets for Specific\nSystems\n        OIT has not developed formal policy or procedures that\n        provide instructions for tailoring baseline security controls in\n        accordance with NIST requirements. Further, OIT has not\n        tailored its baseline security controls for each applicable\n        SEC system that requires such controls.\n\nNIT found that OIT has developed a System Security Plan (SSP) for each SEC\ncritical system in accordance with NIST Special Publication 800-18, Guide for\nDeveloping Security Plans for Federal Information Systems (NIST SP 800-18). 26\nThe SSP is a \xe2\x80\x9c[f]ormal document that provides an overview of the security\nrequirements for the information system and describes the security controls in\nplace or planned for meeting those requirements.\xe2\x80\x9d 27 OIT identifies a generic set\nof baseline security controls in each SSP, based on the security categorization of\nthe system, but has not taken any action to tailor the baseline security controls\nset consistent with the guidance in NIST SP 800-37.\n\nNIST SP 800-37 states the following:\n\n        The security control selection process includes as appropriate:\n\n\n\n26\n   NIST SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems,\nhttp://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf.\n27\n   NIST SP 800-18, p. 39, http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf.\n2011 Annual FISMA Executive Summary Report                                                February 2, 2012\nReport No. 501\n                                       Page 9\n                               REDACTED PUBLIC VERSION\n\x0c         (i) choosing a set of baseline security controls; (ii) tailoring the\n         baseline security controls by applying scoping, parameterization,\n         and compensating control guidance; (iii) supplementing the tailored\n         baseline security controls, if necessary, with additional controls \xe2\x80\xa6;\n         and (iv) specifying minimum assurance requirements, as\n         appropriate. Organizations document in the security plan, the\n         decisions (e.g., tailoring, supplementation, etc.) taken during the\n         security control selection process, providing a sound rationale for\n         those decisions. 28\n\nOIT has accomplished only the first of these four items. Without a formal tailored\nbaseline security controls set, the security requirements for each system could\nbe either understated or overstated and critical controls may not be identified.\n\nNIT found that the baseline security controls for each system are evaluated as\npart of the SEC Security Test and Evaluation (ST&E). The ST&E is the security\ndocument that contains the assessment methods and the assessment results for\nthe required security controls for each system. 29\n\nThrough interviews with OIT staff and a review of system documentation, NIT\nfound that OIT lacks formal policy and procedures to provide appropriate\nguidance to SEC IT security staff to ensure that the baseline security controls set\nis properly tailored in accordance with the requirements of NIST SP 800-53. 30\nFigure 2, below, summarizes the process recommended by NIST for selecting\nsecurity controls, including tailoring of the initial security control baseline and any\nadditional modifications required based on an organizational assessment of\nrisk. 31\n\n\n\n\n28\n   NIST SP 800-37, Rev. 1, p. 25, http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-\nfinal.pdf.\n29\n   See NIST SP 800-53A, Rev. 1, Guide for Assessing the Security Controls in Federal Information Systems\nand Organizations (June 2010), p. ix (NIST SP 800-53A), http://csrc.nist.gov/publications/nistpubs/800-53A-\nrev1/sp800-53A-rev1-final.pdf.\n30\n   NIST SP 800-53, Rev. 3, p. 25, fig. 3.2, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n31\n   NIST SP 800-53, Rev. 3, p. 25, fig. 3.2, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                     February 2, 2012\nReport No. 501\n                                         Page 10\n                                 REDACTED PUBLIC VERSION\n\x0c     Figure 2: Security Control Selection Process\n\n\n\n\n     Source: NIST SP 800-53.\n\nNIT also found that OIT had not developed or defined a tailored set of baseline\nsecurity controls in the SSP or other security documents for the   systems that\nit examined. The table 1 SEC Systems and Date Accessed lists the systems and\nthe date that NIT accessed them.\n\n                   Table 1: SEC Systems and Date Accessed\n\n                                             Date Accessed on the\n                          SEC System\n                                               SEC Intranet Site\n                                             August 15, 2011\n                                             August 29, 2011\n                                             September 7, 2011\n                                             September 7, 2011\n                                             August 29, 2011\n                                             September 7, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                                             September 8, 2011\n                   Source: NIT Generated.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                          February 2, 2012\nReport No. 501\n                                       Page 11\n                               REDACTED PUBLIC VERSION\n\x0cFurther, NIT found that OIT mistakenly interpreted NIST SP 800-53 as requiring\nno tailoring of the baseline security controls set beyond selection of the\nappropriate set based on the system\xe2\x80\x99s security categorization. NIT\xe2\x80\x99s review of\nthe Certification and Accreditation (C&A) packages, including the       systems\xe2\x80\x99\nSSP and the ST&E documents, provided no indication that the baseline security\ncontrols set was tailored in accordance with the guidance in NIST SP 800-53.\n\nOIT\xe2\x80\x99s use of a generic controls set based only on security categorization without\nadditional tailoring may result in its understating or overstating the security\nrequirements for systems. Additionally, without tailoring, OIT may fail to identify\ncritical controls, resulting in risks to the information system, mission and business\nprocesses, and the organization.\n\n       Recommendation 5:\n\n       The Office of Information Technology should develop and implement\n       formal policy that addresses tailoring baseline security controls sets.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 6:\n\n       The Office of Information Technology should determine whether it should\n       perform the tailoring process at the organization level for all information\n       systems (either as the required tailored baseline or as the starting point for\n       system-specific tailoring), at the individual information system level, or by\n       using a combination of organization-level and system-specific approaches.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 7:\n\n       The Office of Information Technology should tailor a baseline security\n       controls set (with rationale) for applicable systems in accordance with the\n       guidance in National Institute of Standards and Technology, Guide for\n       Applying the Risk Management Framework to Federal Information\n       Systems: A Security Life Cycle Approach, and National Institute of\n\n2011 Annual FISMA Executive Summary Report                             February 2, 2012\nReport No. 501\n                                    Page 12\n                            REDACTED PUBLIC VERSION\n\x0c         Standards and Technology, Recommended Security Controls for Federal\n         Information Systems and Organizations.\n\n         Management Comments. OIT concurred with this recommendation.\n         See Appendix VII for management\xe2\x80\x99s full comments.\n\n         OIG Analysis. We are pleased that OIT concurred with this\n         recommendation.\n\n\nFinding 4: OIT Has Not Conducted\nConfiguration Compliance Scans and Needs a\nDefined Process to Address Compliance Scan\nResults in a Timely Manner\n         OIT\xe2\x80\x99s baseline configurations are outdated and are\n         inconsistent with NIST guidance. OIT\xe2\x80\x99s current configuration\n         management policies and procedures do not address the\n         timely processing and remediation of deviations or\n         exceptions from the defined configuration settings. Further,\n         OIT has not conducted configuration compliance scans.\n\nNIT found that the OIT has documented policies and procedures for configuration\nmanagement 32 and a defined, standard baseline configuration for its major IT\ndevices, including\n        . 35 However, these policies and procedures and the standard baseline\nconfiguration are outdated by three or more years and are therefore inconsistent\nwith current FISMA requirements, and NIST SP 800-53. 36\n\nThe current baseline configurations are inconsistent with NIST guidance since\nthey do not represent a \xe2\x80\x9cdocumented, up-to-date specification to which the\ninformation system is built.\xe2\x80\x9d According to NIST SP 800-53, \xe2\x80\x9cMaintaining the\nbaseline configuration involves creating new baselines as the information system\nchanges over time.\xe2\x80\x9d 37 In addition, based on interviews with OIT and examination\n\n\n32\n    The policies and procedures reviewed for a\n33\n   Windows\xc2\xae Server is a brand name for a group of server operating systems released by Microsoft\xc2\xae\nCorporation.\n34\n                            are                        that                                       Microsoft\xc2\xae\nCorporation.\n35\n                           are the                       free and open\n 36\n    NIST SP 800-53, Rev. 3, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n37\n    NIST SP 800-53, Rev. 3, p. F-38, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                   February 2, 2012\nReport No. 501\n                                        Page 13\n                                REDACTED PUBLIC VERSION\n\x0c                                                                       38\nof OIT Implementing Instruction                                           NIT\nfound that OIT\xe2\x80\x99s current configuration management policies and procedures do\nnot address the timely processing and remediation of deviations or exceptions\nfrom the defined configuration settings.\n\nAs a result, OIT may be unaware of devices that do not meet its minimum\nconfiguration requirements and it may therefore be impossible for OIT to\ndetermine if the devices have been configured in accordance with approved\nbaseline configuration. Improperly configured devices may present increased\nsecurity related risks to the systems and the organization.\n\nNIT also found that OIT has failed to conduct configuration compliance scans to\nensure that current configurations comply with their defined, documented\nbaseline configuration. OIT lacked an automated tool capable of conducting\nautomated configuration scans, and it was not feasible for OIT to conduct manual\ncompliance checks for its large population of devices. OIT has recently acquired\nan automated compliance tool, Qualys, which is capable of identifying and\ndocumenting deviations from the defined, standard baseline configuration. NIT\nalso found that OIT has not identified, documented, and approved deviations or\nexceptions from its defined configuration settings.\n\nWith respect to configuration management, NIST SP 800-53 recommends that\norganizations develop, document, and maintain under configuration control \xe2\x80\x9ca\ncurrent baseline of the information system.\xe2\x80\x9d NIST SP 800-53 also states the\nfollowing with respect to configuration settings:\n\n        The organization:\n\n        a. Establishes and documents mandatory configuration settings for\n           information technology products employed within the\n           information system using [Assignment: organization-defined\n           security configuration checklists] that reflect the most restrictive\n           mode consistent with operational requirements;\n        b. Implements the configuration settings;\n        c. Identifies, documents, and approves exceptions from the\n           mandatory configuration settings for individual components\n           within the information system based on explicit operational\n           requirements; and\n        d. Monitors and controls changes to the configuration settings in\n           accordance with organizational policies and procedures. 39\n\n\n38\n  OIT Implementing Instruction                                                        ). The implementing\ninstruction is\n\n   NIST SP 800-53, Rev. 3, p. F-42, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                  February 2, 2012\nReport No. 501\n                                         Page 14\n                                 REDACTED PUBLIC VERSION\n\x0cBecause OIT lacks up-to-date policies and procedures, its current configuration\nmay not comply with current FISMA and NIST best practices. Also, without\nidentifying, documenting, and approving deviations, OIT may inconsistently apply\nconfigurations to its IT devices, which could lead to weaknesses in its\nenvironment. In addition, without an automated tool, OIT may continue to fail to\nconduct compliance scans for its major IT devices, potentially leaving OIT\nunaware of devices that do not meet minimum configuration requirements. Thus,\nit may be impossible to determine if the devices have been properly configured in\naccordance with the approved baseline configurations. Improperly configured\ndevices may present increased security related risks to the systems and the\norganization.\n\n       Recommendation 8:\n\n       The Office of Information Technology should review and update its\n       configuration management policy and ensure that it complies with the\n       Federal Information Security Management Act requirements, the\n       guidelines specified in National Institute of Standards and Technology,\n       Recommended Security Controls for Federal Information Systems and\n       Organizations, and its internal requirements.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 9:\n\n       The Office of Information Technology should review and document its\n       current standard baseline configuration, including identification of\n       approved deviations and exceptions to the standard.\n\n       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n       Recommendation 10:\n\n       The Office of Information Technology should conduct compliance scans of\n       its information technology devices, according to the organizationally\n       defined frequency in the policy and procedures, to ensure that all devices\n\n\n2011 Annual FISMA Executive Summary Report                           February 2, 2012\nReport No. 501\n                                    Page 15\n                            REDACTED PUBLIC VERSION\n\x0c        are configured as required by the Office of Information Technology\xe2\x80\x99s\n        configuration management policy and procedures.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n        Recommendation 11:\n\n        The Office of Information Technology should update its policy and include\n        language indicating that deviations from baseline configurations that are\n        identified and documented as a result of the configuration compliance\n        scans are properly remediated in a timely manner.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n\nFinding 5: Multi-Factor Authentication for System\nAccess Has Not Been Linked to the SEC\xe2\x80\x99s\nPersonal Identity Verification Program\n        OIT still has not implemented the technical solution for\n        linking the Personal Identity Verification (PIV) cards to multi-\n        factor authentication. As a result, the SEC continues to be\n        noncompliant with Homeland Security Presidential Directive-\n        12 (HSPD-12), 40 requirements. This noncompliance puts\n        the SEC at a higher risk for unauthorized access to its\n        information systems.\n\nMulti-factor authentication for system access is the process for establishing\nconfidence of authenticity by using two or more factors to achieve authentication.\nThe Commission is required to have a minimum of two of the three factors for\nmulti-factor authentication. The three factors of multi-factor authentication\ninclude:\n\n\n40\n  HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors, (Aug. 27,\n2004), http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm.\n2011 Annual FISMA Executive Summary Report                                            February 2, 2012\nReport No. 501\n                                      Page 16\n                              REDACTED PUBLIC VERSION\n\x0c          (1) something one knows such as a password or personal\n              identification number (PIN),\n          (2) something one has such as a PIV card, 41 and\n          (3) something one is such as a physical security token, or a\n              biometric 42 feature such as a fingerprint or retina scan.\n\nFormer President George W. Bush signed HSPD-12 in August 2004. It required\nfederal agencies to have programs in place to ensure that identification issued by\neach agency to federal employees and contractors meets a common standard.\nHSPD-12 directed the Secretary of Commerce to promulgate a standard for\nsecure and reliable forms of identification within 6 months after the date of the\ndirective. 43 The standard, Federal Information Processing Standards Publication\n201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors\n(FIPS 201-1), was issued by NIST on February 25, 2005, and revised in March\n2006. 44 HSPD-12 also included the following deadlines:\n\n     \xe2\x80\xa2   No more than four months after promulgation of the standard,\n         heads of executive departments and agencies were to have a\n         program in place to ensure that identification issued to employees\n         and contractors met the standard.\n\n     \xe2\x80\xa2   No more than eight months after promulgation of the standard,\n         heads of executive departments and agencies were to require, to\n         the maximum extent practicable, that employees and contractors\n         use identification that met the standard to gain physical access to\n         federally controlled facilities and logical access to federally\n         controlled information systems. 45\n\nAccording to the OIG\xe2\x80\x99s report entitled, The SEC\xe2\x80\x99s Implementation of and\nCompliance with HSPD-12, Report No. 481, issued in March 2011, the SEC had\nmissed virtually all the HSPD-12 deadlines. 46 We found that the SEC had not, to\nthe maximum extent practical, required the use of identification by federal\n\n41\n   A PIV card is defined as \xe2\x80\x9c[a] physical artifact (e.g., identity card, \xe2\x80\x98smart card\xe2\x80\x99) issued to an individual that\ncontains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint\nrepresentation) so that the claimed identity of the cardholder can be verified against the stored credentials\nby another person (human readable and verifiable) or an automated process (computer readable and\nverifiable).\xe2\x80\x9d Federal Information Processing Standards Publication (FIPS Pub.) 201-1, Personal Identity\nVerification (PIV) of Federal Employees and Contractors, p. 73, Appendix F,\nhttp://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\n42\n   Biometric is defined as \xe2\x80\x9c[a] measurable, physical characteristic or personal behavioral trait used to\nrecognize the identity, or verify the claimed identity, of an Applicant. Facial images, fingerprints, and iris scan\nsamples are all examples of biometrics.\xe2\x80\x9d FIPS Pub. 201-1, p. 70,\nhttp://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\n43\n   HSPD-12, para. 2, http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm.\n44\n   FIPS 201-1, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\n45\n   HSPD-12, para. 4, http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm.\n46\n   OIG, The SEC\xe2\x80\x99s Implementation of and Compliance with Homeland Security Presidential Directive 12,\nReport No. 481 (Mar. 31, 2011), p. 3, http://www.sec-oig.gov/Reports/AuditsInspections/2011/481.pdf.\n2011 Annual FISMA Executive Summary Report                                                         February 2, 2012\nReport No. 501\n                                          Page 17\n                                  REDACTED PUBLIC VERSION\n\x0cemployees and contractors that met the standard in gaining physical access to\nfederally controlled facilities and logical access to federally controlled information\nsystems because the SEC had not completed background investigations for all\nemployees who had more than 15 years of federal service in compliance with the\nprescribed deadline. As a result, in the OIG Report No. 481, we recommended\nto the SEC\xe2\x80\x99s Office of Human Resources immediately, but no later than 90 days\nafter the issuance of the report, initiate background investigations for all current\nemployees who did not have successfully adjudicated investigations on record.\n\nWhile the Office of Human Resources concurred with the recommendation and\nhas since initiated background investigations, as of this date, they have not\ncompleted background investigations for all employees and have not provided\nthe OIG with a date as to when that the background investigations will be\ncompleted. It should be noted that a background investigation must be\ncompleted prior to receipt of a PIV badge.\n\nAt that time of the March 2011 report, the Office of Human Resources was\nresponsible for oversight of the background investigations but has since\ntransferred this responsibility to the Office of Security Services (OSS), Personnel\nSecurity Branch.\n\nOSS\xe2\x80\x99s Physical Security Branch is responsible for enrolling PIV cards into its\nphysical access control system and providing temporary SEC-issued badges\nwhile employees or contractors are awaiting receipt of their PIV cards. Physical\nSecurity has initiated the process for issuing PIV cards to all eligible employees\nand contractors. OIT is responsible for overseeing implementation of\ntechnological solutions for the use of PIV cards for multi-factor authentication for\naccess to SEC information systems.\n\nAccording to information obtained in interviews with OIT staff and a review of\nSEC information systems, OIT\xe2\x80\x94more than six years after NIST\xe2\x80\x99s promulgation of\nFIPS 201-1\xe2\x80\x94is still in the process of developing a technical solution for\nimplementing PIV cards as a second authentication factor for accessing SEC\ninformation systems. According to the OIG\xe2\x80\x99s 2010 Annual FISMA Executive\nSummary Report, OIT concurred with the OIG\xe2\x80\x99s recommendation that OIT\ncomplete the logical access integration of the PIV card no later than December\n2011, as reported to OMB in the SEC\xe2\x80\x99s HSPD-12 Implementation Status Report\non December 31, 2010. 47 OIT also concurred with the following recommendation\nin The SEC\xe2\x80\x99s Implementation of and Compliance with Homeland Security\nPresidential Directive 12:\n\n\n\n\n47\n  OIG, 2010 Annual FISMA Executive Summary Report, Report No. 489 (Mar. 3, 2011), http://www.sec-\noig.gov/Reports/AuditsInspections/2011/489.pdf.\n2011 Annual FISMA Executive Summary Report                                           February 2, 2012\nReport No. 501\n                                      Page 18\n                              REDACTED PUBLIC VERSION\n\x0c        Recommendation 16: The Office of the Executive Director\n        should develop and implement a policy requiring the\n        Personal Identity Verification badge to be used as a common\n        and primary means of authentication for physical and logical\n        access. 48\n\nAlthough OIT has concurred with the recommendations made in both reports,\nOIT has not completed the requirements to use the PIV card for multi-factor\nauthentication for accessing SEC information systems.\n\nAs of the date of this report, OIT has not advised the OIG of a date for\ncompleting the implementation of PIV cards as a required second authentication\nfactor for accessing SEC information systems.\n\nBecause it has not implemented multi-factor authentication that is linked to the\nPIV card program, the SEC is not in compliance with the requirements of HSPD-\n12 49 or with NIST SP 800-53, Identification and Authentication, IA-2. 50 Failure to\nimplement multi-factor authentication may place the Commission at a higher risk\nfor unauthorized access to its information systems.\n\n        Recommendation 12:\n\n        The Office of Information Technology should provide a new date to the\n        Office of Management and Budget for implementing the technical solution\n        for linking multifactor authentication to Personal Identity Verification cards\n        for system authentication.\n\n        Management Comments. OIT concurred with this recommendation.\n        See Appendix VII for management\xe2\x80\x99s full comments.\n\n        OIG Analysis. We are pleased that OIT concurred with this\n        recommendation.\n\n        Recommendation 13:\n\n        The Office of Information Technology should complete its implementation\n        of the technical solution for linking multi-factor authentication to Personal\n        Identity Verification (PIV) cards for system authentication and require use\n        of the PIV cards as a second authentication factor by December 2012.\n\n\n\n48\n   OIG, The SEC\xe2\x80\x99s Implementation of and Compliance with Homeland Security Presidential Directive 12, p.\n31, http://www.sec-oig.gov/Reports/AuditsInspections/2011/481.pdf.\n49\n   HSPD-12, para. 4, http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm.\n50\n   NIST SP 800-53, Rev. 3, pp. F-54 and F-55, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-\n53-rev3-final_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                  February 2, 2012\nReport No. 501\n                                        Page 19\n                                REDACTED PUBLIC VERSION\n\x0c       Management Comments. OIT concurred with this recommendation.\n       See Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                         February 2, 2012\nReport No. 501\n                                    Page 20\n                            REDACTED PUBLIC VERSION\n\x0c                                                                        Appendix I\n\n\n                                 Abbreviations\n\n    BIA                          business impact analysis\n    C&A                          Certification and Accreditation\n    CIO                          Chief Information Officer\n    CM                           Configuration Management\n    FDCC                         Federal Desktop Core Configuration\n    FIPS                         Federal Information Processing Standard\n    FISMA                        Federal Information Security Management Act\n    HSPD-12                      Homeland Security Presidential Directive 12\n    IDS                          Intrusion Detection System\n    II                           Implementing Instruction\n    IPS                          Intrusion Prevention System\n    ISA                          Interconnection Security Agreement\n    IT                           information technology\n    LAN                          local area network\n    MOU                          memorandum of understanding\n    NIST                         National Institute of Standards and Technology\n    OSS                          Office of Security Services\n    OIG                          Office of Inspector General\n    OIT                          Office of Information Technology\n    OMB                          Office of Management and Budget\n    PIN                          personal identification number\n    PIV                          Personal Identity Verification\n    POAM                         Plan of Actions and Milestones\n    SEC or Commission            Securities and Exchange Commission\n    SSP                          System Security Plan\n    ST&E                         Security Test and Evaluation\n    US-CERT                      United States Computer Emergency Readiness\n                                 Team\n\n\n\n\n2011 Annual FISMA Executive Summary Report                             February 2, 2012\nReport No. 501\n                                    Page 21\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                        Appendix II\n\n\n                          Scope and Methodology\n\nThe full version of this report includes information that the SEC considers to be\nsensitive or proprietary. To create this public version of the report, the OIG\nredacted (blacked out) potentially sensitive, proprietary information from the\nreport.\n\nScope. NIT conducted this review from June 2011 to October 2011. The scope\nof the review consisted of the following areas specified in OMB\xe2\x80\x99s fiscal year 2011\nFISMA reporting instructions:\n\n     \xe2\x80\xa2   risk management\n     \xe2\x80\xa2   configuration management\n     \xe2\x80\xa2   incident response and reporting\n     \xe2\x80\xa2   security training\n     \xe2\x80\xa2   evaluation of agency plan of action and milestones process\n     \xe2\x80\xa2   remote access management\n     \xe2\x80\xa2   identity and access management\n     \xe2\x80\xa2   continuous monitoring management\n     \xe2\x80\xa2   contingency planning\n     \xe2\x80\xa2   agency oversight of contractor systems\n     \xe2\x80\xa2   security capital planning 51\n\nWe conducted our review at the SEC\xe2\x80\x99s Operations Center in Alexandria, VA and\nheadquarters site in Washington, D.C.\n\nMethodology. FISMA requires that federal agencies have an annual\nindependent evaluation of their information security program and practices\nperformed. The evaluation is to be conducted by the agency\xe2\x80\x99s inspector general\nor by an independent external auditor. 52 The overall objective of the 2011 FISMA\nassessment was to assess the SEC\xe2\x80\x99s systems and provide the OIG with input to\nthe Commission\xe2\x80\x99s response to OMB M-11-33. To meet this object NIT\nconducted the 2011 review of the SEC\xe2\x80\x99s information security program based on\nguidance issued by OMB and NIST. NIT completed all data collection\ninstruments required for 2011 FISMA reporting, performed the necessary\nevaluation procedures to answer questions to be published by OMB in its\nreporting guidance, and compiled this Executive Summary Report for the SEC\nOIG.\n\n\n51\n   OMB M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and\nPrivacy Management Act, http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf.\n52\n   Pub. L. No. 107-347, title III, \xc2\xa7 3545(a), (b).\n2011 Annual FISMA Executive Summary Report                                              February 2, 2012\nReport No. 501\n                                       Page 22\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                     Appendix II\n\n\nTo complete the OIG\xe2\x80\x99s portion of the annual FISMA questionnaire, NIT\ninterviewed key OIT personnel and examined policies, procedures, and other\nrelated documentation. The key personnel included system owners, OIT\nrepresentatives, and OIG stakeholders. Follow-up interviews were conducted to\ngather additional evidence. NIT reviewed relevant documentation (such as\npolicies, procedures, and roles and responsibilities) to address the evaluation\nobjective. Our review of policies and procedures also included discussions with\nSEC officials to discuss and confirm our findings. NIT\xe2\x80\x99s review covered the 11\nareas identified in the scope.\n\nNIT IT security professionals reviewed OIT\xe2\x80\x99s C&A packages, including POA&M,\nSSP, Risk Assessments, ST&E, C&A memoranda, and applicable policies and\nprocedures, to determine OIT\xe2\x80\x99s compliance with OMB, FISMA, and NIST\nguidelines. NIT also reviewed other documentation relating to the scope of the\nfiscal year 2011 annual FISMA assessment. Our analysis was based on\ninformation provided from various sources, interviews with key SEC OIT\npersonnel, prior audit coverage, support documentation, and artifacts provided to\nNIT.\n\nManagement Controls. NIT did not assess OIT\xe2\x80\x99s management control structure\nor its internal controls because it did not pertain to the objectives of this review.\nNIT reviewed existing controls at the Commission considered specific to the 2011\nFISMA OIG questionnaire. To thoroughly understand OIT\xe2\x80\x99s management\ncontrols pertaining to its policies and procedures and methods of operation, NIT\nrelied on information requested from and supplied by OIT staff members and\ninformation from NIT interviews with various OIT personnel.\n\nUse of Computer-Processed Data. NIT did not assess the reliability of OIT\xe2\x80\x99s\ncomputers because it did not pertain to our objectives for this review. Further,\nNIT did not perform any tests on the general or application controls over OIT\xe2\x80\x99s\nautomated systems because such tests were not within the scope of our work.\nThe information that was retrieved from these systems as well as the requested\ndocumentation provided to us, was sufficient, reliable, and adequate to use in\nmeeting our stated objectives.\n\nPrior OIG Report. NIT reviewed the 2010 FISMA Executive Summary, which\nhas eight recommendations. 53 OIT has implemented and closed seven of these\nrecommendations, but one remains open. That recommendation called for OIT\nto complete the logical access integration of the HSPD-12 card no later than\nDecember 2011, as reported to the Office of Management and Budget on\nDecember 31, 2010. 54 NIT found that OIT is still in the process of addressing\nthis recommendation.\n\n53\n   OIG, 2010 FISMA Executive Summary, Report No. 489 (Mar. 3, 2011), http://www.sec-\noig.gov/Reports/AuditsInspections/2011/489.pdf.\n54\n   See 2010 FISMA Executive Summary, page 9.\n2011 Annual FISMA Executive Summary Report                                           February 2, 2012\nReport No. 501\n                                      Page 23\n                              REDACTED PUBLIC VERSION\n\x0c                                                                    Appendix II\n\n\nJudgmental Sampling. As required by FISMA, NIT conducted a limited review\nof the Commission\xe2\x80\x99s information security posture. The review consisted of NIT\xe2\x80\x99s\nreviewing the security assessment packages for a representative sample of     of\napproximately    SEC systems that were agreed upon between the SEC and\nNIT. 55\n\n\n\n\n55\n     The   systems selected were the\n\n\n\n\n2011 Annual FISMA Executive Summary Report                         February 2, 2012\nReport No. 501\n                                        Page 24\n                                REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix III\n\n\n                          Criteria and Guidance\n\nFederal Information Security Management Act of 2002, Title III, Pub. L. No.\n107-347. Requires federal agencies to develop, document, and implement an\nagency-wide program providing security for the information and information\nsystems that support the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source.\n\nOMB Memorandum 11-33, FY 2011 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management.\nProvides instructions to agencies for meeting fiscal year 2011 reporting\nrequirements under FISMA.\n\nNIST Special Publication 800-18, Revision 1, Guide for Developing Security\nPlans for Federal Information Systems. Provides guidance for improving\nprotection of information system resources.\n.\nNIST Special Publication 800-53, Revision 3, Recommended Security\nControls for Federal Information Systems and Organizations. Provides\nguidance related to the steps in the RMF that address security control section.\n\nNIST Special Publication 800-53A, Revision 1, Guide for Assessing the\nSecurity Controls in Federal Information Systems and Organizations\n(companion guideline to NIST SP 800-53). Covers the security control\nassessment and continuous monitoring steps in the RMF and provides guidance\non the security assessment process.\n\nNIST Special Publication 800-37, Revision 1, Guide for Applying the Risk\nManagement Framework to Federal Information Systems: A Security Life\nCycle Approach. Provides guidance for applying the RMF to federal information\nsystems.\n\nHomeland Security Presidential Directive-12 (HSPD-12), Policies for a\nCommon Identification Standard for Federal Employees and Contractors.\nProvides guidance and details for implementing a common identification standard\nthroughout federal agencies.\n\nFederal Information Processing Standard Publication 199 (FIPS 199),\nStandards for Security Categorization of Federal Information and\nInformation Systems. Provides guidance on the proper categorization of an\ninformation system based on the security level of the information contained in the\nsystem.\n\n\n2011 Annual FISMA Executive Summary Report                           February 2, 2012\nReport No. 501\n                                    Page 25\n                            REDACTED PUBLIC VERSION\n\x0c                                                                   Appendix III\n\n\nFederal Information Processing Standard Publication 200 (FIPS 200),\nMinimum Security Requirements for Federal Information and Information\nSystems. Outlines the minimum security requirements for the security of federal\ninformation system.\n\nFederal Information Processing Standard Publication 201-1 (FIPS 201-1),\nPersonal Identity Verification (PIV) of Federal Employees and Contractors.\nOutlines the HSPD-12 requirements.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                        February 2, 2012\nReport No. 501\n                                    Page 26\n                            REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix IV\n\n\n                       List of Recommendations\n\nRecommendation 1:\n\nThe Office of Information Technology (OIT) should develop and implement a\ndetailed plan to review and update OIT security policies and procedures and to\ncreate OIT security policies and procedures for areas that lack formal policy and\nprocedures.\n\nRecommendation 2:\n\nThe Office of Information Technology should develop a comprehensive risk\nmanagement strategy in accordance with National Institute of Standards and\nTechnology, Guide for Applying the Risk Management Framework to Federal\nInformation Systems: A Security Life Cycle Approach, that will ensure\nmanagement of system-related security risks is consistent with the Commission\xe2\x80\x99s\nmission/business objectives and overall risk strategy.\n\nRecommendation 3:\n\nThe Office of Information Technology should update its risk management policy\nto include language regarding developing a comprehensive governance structure\nand ensure management of system-related security risks is consistent with the\nCommission\xe2\x80\x99s mission/business objectives and overall risk strategy.\n\nRecommendation 4:\n\nThe Office of Information Technology should develop and implement a formal\nrisk management procedure that identifies an acceptable process for evaluating\nsystem risk is consistent with the Commission\xe2\x80\x99s mission/business objectives and\noverall risk strategy.\n\nRecommendation 5:\n\nThe Office of Information Technology should develop and implement formal\npolicy that addresses tailoring baseline security controls sets.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                           February 2, 2012\nReport No. 501\n                                    Page 27\n                            REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix IV\n\n\nRecommendation 6:\n\nThe Office of Information Technology should determine whether it should perform\nthe tailoring process at the organization level for all information systems (either\nas the required tailored baseline or as the starting point for system-specific\ntailoring), at the individual information system level, or by using a combination of\norganization-level and system-specific approaches.\n\nRecommendation 7:\n\nThe Office of Information Technology should tailor a baseline security controls\nset (with rationale) for applicable systems in accordance with the guidance in\nNational Institute of Standards and Technology, Guide for Applying the Risk\nManagement Framework to Federal Information Systems: A Security Life Cycle\nApproach, and National Institute of Standards and Technology, Recommended\nSecurity Controls for Federal Information Systems and Organizations.\n\nRecommendation 8:\n\nThe Office of Information Technology should review and update its configuration\nmanagement policy and ensure that it complies with the Federal Information\nSecurity Management Act requirements, the guidelines specified in National\nInstitute of Standards and Technology, Recommended Security Controls for\nFederal Information Systems and Organizations, and its internal requirements.\n\nRecommendation 9:\n\nThe Office of Information Technology should review and document its current\nstandard baseline configuration, including identification of approved deviations\nand exceptions to the standard.\n\nRecommendation 10:\n\nThe Office of Information Technology should conduct compliance scans of its\ninformation technology devices, according to the organizationally defined\nfrequency in the policy and procedures, to ensure that all devices are configured\nas required by the Office of Information Technology\xe2\x80\x99s configuration management\npolicy and procedures.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                            February 2, 2012\nReport No. 501\n                                    Page 28\n                            REDACTED PUBLIC VERSION\n\x0c                                                                   Appendix IV\n\n\nRecommendation 11:\n\nThe Office of Information Technology should update its policy and include\nlanguage indicating that deviations from baseline configurations that are\nidentified and documented as a result of the configuration compliance scans are\nproperly remediated in a timely manner.\n\nRecommendation 12:\n\nThe Office of Information Technology should provide a new date to the Office of\nManagement and Budget for implementing the technical solution for linking\nmultifactor authentication to Personal Identity Verification cards for system\nauthentication.\n\nRecommendation 13:\n\nThe Office of Information Technology should complete its implementation of the\ntechnical solution for linking multi-factor authentication to Personal Identity\nVerification (PIV) cards for system authentication and require use of the PIV\ncards as a second authentication factor by December 2012.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                          February 2, 2012\nReport No. 501\n                                    Page 29\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                             Appendix V\n\n\n         OIG\xe2\x80\x99s Response to OMB Questionnaire\n\nSection 1: Status of Risk Management\n\nBackground. Risk management is an essential component of a successful IT\nsecurity program and should be consistent with OMB M-11-33, FY 2011\nReporting Instructions for the Federal Information Security Management Act and\nthe Agency Privacy Management Act, 56 FISMA, 57 and NIST guidelines\xe2\x80\x94\nspecifically, NIST SP 800-53. 58 NIST SP 800-37 59 also provides guidance for\napplying the RMF to federal information systems. The principal goal of an IT\nsecurity program\xe2\x80\x99s risk management process should be to protect the\norganization and its ability to perform its mission, not just its IT assets.\nTherefore, the risk management process should not be treated primarily as a\ntechnical function carried out by the IT experts who operate and manage the IT\nsystem, but as an essential management function of the organization.\n\nThe RMF, in accordance with NIST SP 800-37, consists of a three-tiered\napproach to risk management. The RMF is intended to improve information\nsecurity and strengthen the risk management process. (See figure 1 in this\nreport for a graphic summary of the RMF.) Tier 1 addresses risk from an\norganizational perspective through development of a comprehensive governance\nstructure and organization-wide risk management strategy. Tier 2 addresses risk\nfrom a mission and business process perspective, and its activities are closely\nassociated with enterprise architecture and are guided by Tier 1 risk decisions.\nTier 3 addresses risk from an information system perspective and is guided by\nTier 1 and Tier 2 risk decisions. 60\n\nRisk management is the process of identifying risk, assessing risk, and taking\nsteps to reduce risk to an acceptable level. The ultimate goal is to help\norganizations to better manage risks throughout all levels of the organization.\nThe objective of performing risk management is to enable the organization to\naccomplish its missions by better securing the IT systems that store, process, or\ntransmit organizational information.\n\n\n\n\n56\n   OMB M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and\nPrivacy Management Act, http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf.\n57\n   FISMA, Title III, Pub. L. No. 107-347, http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.\n58\n   NIST SP 800-53, Rev. 3, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n59\n   NIST SP 800-37, Rev. 1, http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.\n60\n   NIST SP 800-37, Rev. 1, p. 5, http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-\nfinal.pdf.\n2011 Annual FISMA Executive Summary Report                                                    February 2, 2012\nReport No. 501\n                                         Page 30\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\n\nA risk assessment is the process in the risk management methodology that\norganizations use to identify the likelihood of a threat or vulnerability, the extent\nof the potential threat, and the risk associated with an IT system.\nNIST SP 800-53 lists the following controls associated with risk assessment:\n\n     \xe2\x80\xa2   RA-1 Risk Assessment Policy and Procedures\n     \xe2\x80\xa2   RA-2 Security Categorization\n     \xe2\x80\xa2   RA-3 Risk Assessment\n     \xe2\x80\xa2   RA-5 Vulnerability Scanning 61\n\nA risk assessment helps to identify appropriate controls for reducing or\neliminating risk during the risk mitigation process.\n\nResponse. In response to question 1 on the OMB template, based on interviews\nand reviews of C&A packages and other SEC documentation, NIT determined\nthat the Commission has established and is maintaining a risk management\nprogram and that the risk management program is generally consistent with\nFISMA, OMB, and NIST requirements. A certification is \xe2\x80\x9c[a] comprehensive\nassessment of the management, operational and technical security controls in an\ninformation system, made in support of security accreditation, to determine the\nextent to which the controls are implemented correctly, operating as intended,\nand producing the desired outcome with respect to meeting the security\nrequirements for the system.\xe2\x80\x9d62 An accreditation is \xe2\x80\x9c[t]he official management\ndecision given by a senior agency official to authorize operation of an information\nsystem and to explicitly accept the risk to agency operations (including mission,\nfunctions, image, or reputation), agency assets, or individuals, based on the\nimplementation of an agreed-upon set of security controls.\xe2\x80\x9d 63\n\nIn response to question 1.a(1), NIT found that OIT has a documented and\ncentrally accessible risk management policy, II\n              64\n                 but does not have formal risk management procedures. OIT\xe2\x80\x99s\nrisk management policy includes the roles and responsibilities of participants.\n\nIn response to questions 1.a(2) through 1.a(4), NIT found that the current risk\nmanagement policy has not been updated since December 22, 2005, and does\nnot address risk from an organizational perspective or a mission and business\nprocess perspective, as described in NIST SP 800-37. However, the risk\nmanagement policy does address risk from an information system perspective.\n\n61\n   NIST SP 800-53, Rev. 3, pp. F-92-95, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n62\n   NIST SP 800-18, Rev. 1, p. 32, http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-\nfinal.pdf.\n63\n   NIST SP 800-18, Rev. 1, p. 31, http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-\nfinal.pdf.\n64\n   IT                            II                               , available in the OIT Policy Library,\n\n2011 Annual FISMA Executive Summary Report                                                February 2, 2012\nReport No. 501\n                                        Page 31\n                                REDACTED PUBLIC VERSION\n\x0c                                                                                          Appendix V\n\n\nIn response to question 1.a(5), NIT found that OIT categorizes information\nsystems in accordance with government policies.\n\nIn response to questions 1.a(6) and 1.a(7), NIT found that OIT identifies a\ngeneric set of baseline controls that are evaluated as part of the ST&E process. 65\nHowever, OIT has not developed any polices or procedures to define an\napproach for developing a tailored set of baseline controls for each system\nconsistent with NIST SP 800-53. 66 In addition, OIT has not defined or\nimplemented a process to tailor baseline security controls for each system. OIT\nconducts ST&Es based on the generic baseline set of security controls and not\nthe tailored set of security controls.\n\nIn response to question 1.a(8), NIT found that OIT assesses security controls for\nthe information systems using appropriate assessment procedures to determine\nthe extent to which the controls are implemented correctly, operating as\nintended, and producing the desired outcome with respect to meeting the\nsecurity requirements for the system.\n\nIn response to questions 1.a(9) through 1.a(14), after review of the C&A\ndocumentation (including SSPs and POA&Ms) , 67 NIT found that the Commission\nauthorizes information systems based on the level of risk and monitors\ninformation security controls on a regular basis. The risks are appropriately\ncommunicated to SEC officials, system owners, chief information officers, senior\ninformation security officers, and other key SEC stakeholders.\n\nShown below, Table 2 contains OIG\xe2\x80\x99s response to question 1, as provided by\nNIT.\n\n\n\n\n65\n   The ST&E is the security document that contains the assessment methods and the assessment results for\nthe required security controls for each system. NIST SP 800-53A, Rev. 1, p. ix,\nhttp://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf.\n66\n   NIST SP 800-53, Rev. 3, pp. 16-29, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-0 1-2010.pdf.\n67\n   The SSP is a \xe2\x80\x9c[f]ormal document that provides an overview of the security requirements for the\ninformation system and describes the security controls in place or planned for meeting those requirements.\xe2\x80\x9d\nThe POA&M is \xe2\x80\x9c[a] document that identifies tasks needing to be accomplished. It details resources required\nto accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion\ndates for the milestones.\xe2\x80\x9d NIST SP 800-18, Rev. 1, p. 37.\n2011 Annual FISMA Executive Summary Report                                                 February 2, 2012\nReport No. 501\n                                        Page 32\n                                REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\n\nTable 2: OIG Response to Question 1 From OMB Questionnaire\n       ID                     Questions from OMB Questionnaire                          Response\n\n\n 1.a           The Agency has established and is maintaining a risk management            Yes\n               program that is consistent with FISMA requirements, OMB policy,\n               and applicable NIST guidelines. Although improvement\n               opportunities may have been identified by the OIG, the program\n               includes the following attributes.\n 1.a(1)        Documented and centrally accessible policies and procedures for            No\n               risk management, including descriptions of the roles and\n               responsibilities of participants in this process.\n 1.a(2)        Addresses risk from an organization perspective with the                   No\n               development of a comprehensive governance structure and\n               organization-wide risk management strategy as described in NIST\n               800-37, Rev.1\n 1.a(3)        Addresses risk from a mission and business process perspective             No\n               and is guided by the risk decisions at the organizational perspective,\n               as described in NIST 800-37, Rev.1.\n 1.a(4)        Addresses risk from an information system perspective and is               Yes\n               guided by the risk decisions at the organizational perspective and\n               the mission and business perspective, as described in NIST 800-37,\n               Rev. 1.\n 1.a(5)        Categorizes information systems in accordance with government              Yes\n               policies.\n 1.a(6)        Selects an appropriately tailored set of baseline security controls.       No\n\n 1.a(7)     Implements the tailored set of baseline security controls and                 No\n            describes how the controls are employed within the information\n            system and its environment of operation.\n 1.a(8)     Assesses the security controls using appropriate assessment                   Yes\n            procedures to determine the extent to which the controls are\n            implemented correctly, operating as intended, and producing the\n            desired outcome with respect to meeting the security requirements\n            for the system.\n 1.a(9)     Authorizes information system operation based on a determination              Yes\n            of the risk to organizational operations and assets, individuals, other\n            organizations, and the Nation resulting from the operation of the\n            information system and the decision that this risk is acceptable.\n 1.a(10)    Ensures information security controls are monitored on an ongoing             Yes\n            basis including assessing control effectiveness, documenting\n            changes to the system or its environment of operation, conducting\n            security impact analyses of the associated changes, and reporting\n            the security state of the system to designated organizational\n            officials.\n 1.a(11)    Information system specific risks (tactical), mission/business specific       Yes\n            risks and organizational level (strategic) risks are communicated to\n            appropriate levels of the organization.\n 1.a(12)    Senior Officials are briefed on threat activity on a regular basis by         Yes\n            appropriate personnel. (e.g., CISO).\n 1.a(13)    Prescribes the active involvement of information system owners and            Yes\n            common control providers, chief information officers, senior\n            information security officers, authorizing officials, and other roles as\n            applicable in the ongoing management of information system-\n            related security risks.\nSource: OMB FISMA Web Portal.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                                February 2, 2012\nReport No. 501\n                                         Page 33\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                                          Appendix V\n\n\nSection 2: Status of Configuration Management\nBackground. A configuration management program consists of the activities\nsurrounding the maintenance of the security configuration of a system or network\nin order to effectively manage risk. The program consists of patch management\nand remediation of vulnerabilities, regular scans of the network for vulnerabilities,\nestablishment of a standard baseline configuration, full hardware and software\ninventory, and a change management process.\n\nThe Federal Desktop Core Configuration (FDCC) is an OMB mandate that\nrequires all federal agencies to standardize the configuration (baseline) of\napproximately 300 settings on every Windows computer, agencywide. The\npurpose of the OMB mandate is to secure an ever-widening array of\nworkstations, servers, network devices, and software applications in terms of\ntechnology-specific controls. The reason for this standardization is to strengthen\nfederal IT security by reducing opportunities for hackers to access and exploit\ngovernment computer systems.\n\nPatch management is a key component in maintaining the security posture of a\nsystem. Software vendors provide patches and updates to remediate security\nvulnerabilities identified in their software. These patches and updates are made\navailable through the software vendor\xe2\x80\x99s website as they are released. Most\nvendors have a set day for releasing patches. For example, Microsoft releases\npatches and updates on the second Tuesday of each month. If a vulnerability is\nconsidered critical, a vendor may release patches outside of its usual cycle.\n\nNIST SP 800-53 provides guidance to government organizations on flaw\nremediation, such as patching and updates, and lists the following controls\nassociated with configuration management:\n\n     \xe2\x80\xa2   CM-1 Configuration Management Policy and Procedures\n     \xe2\x80\xa2   CM-2 Baseline Configuration\n     \xe2\x80\xa2   CM-3 Configuration Change Control\n     \xe2\x80\xa2   CM-4 Security Impact Analysis\n     \xe2\x80\xa2   CM-5 Access Restrictions for Change\n     \xe2\x80\xa2   CM-6 Configuration Settings\n     \xe2\x80\xa2   CM-7 Least Functionality\n     \xe2\x80\xa2   CM-8 Information System Component Inventory\n     \xe2\x80\xa2   CM-9 Configuration Management Plan 68\n\nThe NIST guidance recommends that organizations identify, report, and correct\ninformation system flaws, test software updates related to flaw remediation for\n\n68\n  NIST SP 800-53, Rev. 3, pp. F-38-46, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                 February 2, 2012\nReport No. 501\n                                        Page 34\n                                REDACTED PUBLIC VERSION\n\x0c                                                                       Appendix V\n\n\neffectiveness and potential side effects on organizational information systems\nbefore installation, and incorporate flaw remediation into the organizational\nconfiguration management process.\n\nResponse. In response to question 2 on the OMB template, NIT determined,\nbased on interviews and reviews of the patching process, that the Commission\nhas established and is maintaining a configuration management program. In\naddition, the SEC is maintaining a configuration management program that is\ngenerally consistent with FISMA, OMB, and NIST requirements.\n\nIn response to questions 2a(1) and 2.a(2), NIT found that OIT has a documented\nIT security configuration management policy, II\n                                which indicates the policy will be reviewed and\nupdated annually. However, NIT\xe2\x80\x99s review found that the policy has not been\nreviewed or updated since March 13, 2007. NIT also found that OIT has\nstandard baseline configuration documents that define the baseline configuration\nfor critical devices but that these documents have not been reviewed or updated\nwithin the past three years. Because the baseline configuration documents have\nnot been reviewed, the documents are not in compliance with NIST guidelines.\n\nIn response to questions 2a(3) and 2.a(4), NIT found that OIT is not conducting\nconfiguration compliance scans to ensure that configurations comply with the\ndefined baseline configurations. OIT is in the process of developing baseline\ncompliance templates that will be used to determine compliance with baseline\nconfigurations. NIT also found that OIT does not have a formal policy that\nidentifies the process for timely remediation of scan result deviations.\n\nIn response to questions 2a(5) through 2.a(7), NIT found that secure\nconfiguration settings are implemented and that any deviations from FDCC\nbaseline settings were documented and reported to NIST. Also, after watching a\ndemonstration of the patch process and reviewing provided documentation, NIT\nconcluded that OIT is adequately applying patches in a timely and secure\nmanner.\n\nShown below, Table 3 contains OIG\xe2\x80\x99s response to question 2, as provided by\nNIT.\n\n\n\n\n69\n  See IT                                                       available in the OIT\nPolicy Library,\n2011 Annual FISMA Executive Summary Report                            February 2, 2012\nReport No. 501\n                                    Page 35\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                         Appendix V\n\n\nTable 3: OIG Response to Question 2 From OMB Questionnaire\n       ID                  Questions from OMB Questionnaire                          Response\n\n 2.a            The Agency has established and is maintaining a security                Yes\n                configuration management program that is consistent with\n                FISMA requirements, OMB policy, and applicable NIST\n                guidelines. Although improvement opportunities may have\n                been identified by the OIG, the program includes the\n                following attributes:\n 2.a(1)         Documented policies and procedures for configuration                     No\n                management.\n 2.a(2)         Standard baseline configurations defined.                                No\n 2.a(3)         Assessing for compliance with baseline configurations.                   No\n 2.a(4)         Process for timely, as specified in agency policy or                     No\n                standards, remediation of scan result deviations.\n 2.a(5)         For Windows-based components, FDCC/USGCB secure                         Yes\n                configuration settings fully implemented and any deviations\n                from FDCC/USGCB baseline settings fully documented\n 2.a(6)         Documented proposed or actual changes to hardware and                   Yes\n                software configurations.\n 2.a(7)         Process for timely and secure installation of software                  Yes\n                patches.\nSource: OMB FISMA Web Portal.\n\n\nSection 3: Status of Incident Response and\nReporting\nBackground. Incident response is the documented (through policies and\nprocedures) and organized approach to addressing and managing the aftermath\nof a security breach or attack, also known as an incident. Incidents may include\nlost or stolen assets, such as laptops and Blackberry devices, or the compromise\nof an organization\xe2\x80\x99s system resulting, for example, from unauthorized access or a\ncomputer virus. NIST SP 800-53 lists the following controls associated with\nincident response:\n\n     \xe2\x80\xa2      IR-1 Incident Response Policy and Procedures\n     \xe2\x80\xa2      IR-2 Incident Response Training\n     \xe2\x80\xa2      IR-3 Incident Response Testing and Exercises\n     \xe2\x80\xa2      IR-4 Incident Handling\n     \xe2\x80\xa2      IR-5 Incident Monitoring\n     \xe2\x80\xa2      IR-6 Incident Reporting\n     \xe2\x80\xa2      IR-7 Incident Response Assistance\n     \xe2\x80\xa2      IR-8 Incident Response Plan 70\n\n\n\n70\n  NIST SP 800-53, Rev. 3, pp. F-61\xe2\x80\x93F-65, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                February 2, 2012\nReport No. 501\n                                       Page 36\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                        Appendix V\n\n\nThe goal of incident response is to handle a situation in a way that limits damage\nand reduces recovery time and cost. Organizations develop an incident\nresponse plan to include policies that define, in specific terms, what constitutes\nan incident and to provide a step-by-step process, based on the type and\nseverity of the incident, to be followed when an incident occurs. NIST SP 800-\n61, Computer Security Incident Handling Guide, recommends that an incident\nresponse plan address the following elements:\n\n     \xe2\x80\xa2   Mission\n     \xe2\x80\xa2   Strategies and goals\n     \xe2\x80\xa2   Senior management approval\n     \xe2\x80\xa2   Organizational approach to incident response\n     \xe2\x80\xa2   How the incident response team will communicate with the rest of\n         the organization\n     \xe2\x80\xa2   Metrics for measuring the incident response capability\n     \xe2\x80\xa2   Roadmap for maturing the incident response capability\n     \xe2\x80\xa2   How the program fits into the overall organization 71\n\nIn addition, organizations should have a designated computer incident response\nteam consisting of carefully selected members that may include, in addition to\nsecurity and general IT staff, representatives from legal, human resources, and\npublic relations departments. The team\xe2\x80\x99s roles and responsibilities are\ndocumented, defined, and communicated thoroughly. 72\n\nResponse. In response to question 3 on the OMB template, NIT determined,\nbased on interviews and reviews of documentation, that the Commission has\nestablished and is maintaining an incident response and reporting program that\nis generally consistent with FISMA, OMB, and NIST requirements.\n\nIn response to question 3a(1), NIT found that OIT has documented policies and\nprocedures for detecting, responding to, and reporting incidents. The policies\nindicate that they will be reviewed and updated annually. However, our review\nfound that the\n           has not been reviewed or updated since August 9, 2007, and that the\n                                          has not been updated since March\n2007. Therefore, NIT determined the documentation does not comply with NIST\nguidelines. In addition, neither document has not been updated in accordance\nwith the SEC-defined frequency of three years specified in the SEC IT Security\n                                    73\n\n\n\n71\n   NIST SP 800-61, Rev. 1, Computer Security Incident Handling Guide (March 2008), pp. 2-4,\nhttp://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf.\n72\n   NIST SP 800-61, Rev. 1, Computer Security Incident Handling Guide (March 2008), pp. 2-12,\nhttp://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf.\n73\n   IT Security                                                                     available in the OIT\nPolicy Library,\n2011 Annual FISMA Executive Summary Report                                              February 2, 2012\nReport No. 501\n                                       Page 37\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                            Appendix V\n\n\nIn response to question 3.a(2), NIT reviewed incident reports and found that they\ncontain comprehensive analysis, validation, and documentation of incidents at\nthe SEC.\n\nIn response to question 3.a(4), NIT reviewed the\n            and determined that OIT specifies timeframes for reporting applicable\nincidents to US-CERT. 74\n\nIn response to questions 3.a(5) and 3.a(6), NIT concluded that OIT responds to\nand resolves incidents in a timely manner, is capable of tracking and managing\nrisks in a virtual/cloud environment, and is capable of correlating incidents.\n\nTable 4 contains OIG\xe2\x80\x99s response to question 3, as provided by NIT.\n\nTable 4: OIG Response to Question 3 From OMB Questionnaire\n       ID                       Questions from OMB Questionnaire                        Response\n\n\n 3.a            The Agency has established and is maintaining an incident                  Yes\n                response and reporting program that is consistent with FISMA\n                requirements, OMB policy, and applicable NIST guidelines.\n                Although improvement opportunities may have been identified by\n                the OIG, the program includes the following attributes:\n 3.a(1)         Documented policies and procedures for detecting, responding to             No\n                and reporting incidents.\n 3.a(2)         Comprehensive analysis, validation and documentation of incidents.         Yes\n 3.a(3)         When applicable, reports to US-CERT within established                     Yes\n                timeframes.\n 3.a(4)         When applicable, reports to law enforcement within established             Yes\n                timeframes.\n 3.a(5)         Responds to and resolves incidents in a timely manner, as specified        Yes\n                in agency policy or standards, to minimize further damage.\n 3.a(6)         Is capable of tracking and managing risks in a virtual/cloud               Yes\n                environment, if applicable.\n 3.a(7)         Is capable of correlating incidents.                                       Yes\nSource:     OMB FISMA Web Portal.\n\n\nSection 4: Status of Security Training Program\nBackground. NIST SP 800-16, Information Technology Security Training\nRequirements: A Role and Performance-Based Model, provides guidance for\ndesigning a role-based training program. 75\n\nFederal agencies and organizations cannot protect the integrity, confidentiality,\nand availability of information in today\xe2\x80\x99s highly networked systems environment\nwithout ensuring that each person involved understands his or her roles and\n\n74\n   See                                                                   , available in the OIT Policy\nLibrary,\n75\n   NIST SP 800-16, Information Technology Security Training Requirements: A Role and Performance-\nBased Model, http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf.\n2011 Annual FISMA Executive Summary Report                                                   February 2, 2012\nReport No. 501\n                                          Page 38\n                                  REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\n\nresponsibilities and is adequately trained to perform them. NIST SP 800-53 lists\nthe following controls associated with security awareness training:\n\n        \xe2\x80\xa2    AT-1 Security Awareness and Training Policy and Procedures\n        \xe2\x80\xa2    AT-2 Security Awareness\n        \xe2\x80\xa2    AT-3 Security Training\n        \xe2\x80\xa2    AT-4 Security Training Records\n        \xe2\x80\xa2    AT-5 Contacts with Security Groups and Associations76\n\nSecurity awareness and training policies and procedures can be developed for\nthe security program in general and, when required, for a particular information\nsystem.\n\nResponse. In response to question 4 on the OMB template, NIT determined,\nbased on interviews and reviews of documentation, that the SEC has established\nand is maintaining a security training program that is generally consistent with\nFISMA, OMB, and NIST requirements.\n\nIn response to question 4.a(1), NIST found OIT has policies and procedures for\nsecurity awareness training. The document containing the policies and\nprocedures, IT Security\nindicates that it will be reviewed and updated annually, but it was last updated on\nDecember 29, 2005. 77\n\nIn response to questions 4.a(2) and 4.a(3), NIT found that the Commission has\nspecialized training modules based on IT security roles and responsibilities.\n\nIn response to questions 4.a(4) and 4.a(5), NIT found that the Commission has\nconducted security awareness for its personnel, including employees,\ncontractors, and other agency users. In addition, the identification and tracking\nof the status of specialized training for all personnel are formally documented.\n\nTable 5 contains OIG\xe2\x80\x99s response to question 4, as provided by NIT.\n\n\n\n\n76\n   NIST SP 800-53, Rev. 3, pp. F-21-23, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n77\n   IT Security                                                                        available in the OIT\nPolicy Library,\n2011 Annual FISMA Executive Summary Report                                                  February 2, 2012\nReport No. 501\n                                        Page 39\n                                REDACTED PUBLIC VERSION\n\x0c                                                                                        Appendix V\n\n\n Table 5: OIG Response to Question 4 From OMB Questionnaire\n        ID                   Questions from OMB Questionnaire                        Response\n\n  4.a            The Agency has established and is maintaining a security              Yes\n                 training program that is consistent with FISMA requirements,\n                 OMB policy, and applicable NIST guidelines. Although\n                 improvement opportunities may have been identified by the\n                 OIG, the program includes the following attributes:\n  4.a(1)         Documented policies and procedures for security awareness             No\n                 training.\n  4.a(2)         Documented policies and procedures for specialized training           Yes\n                 for users with significant information security responsibilities.\n  4.a(3)         Security training content based on the organization and roles,        Yes\n                 as specified in agency policy or standards.\n  4.a(4)         Identification and tracking of the status of security awareness       Yes\n                 training for all personnel (including employees, contractors,\n                 and other agency users) with access privileges that require\n                 security awareness training.\n Source: OMB FISMA Web Portal.\n\n\nSection 5: Status of POA&M Report\nBackground. The POA&M is a key document in a C&A package. It is used to\ndocument identified weaknesses and vulnerabilities discovered through security\ncontrol assessments, security impact analyses, risk assessments, and\ncontinuous monitoring activities. A POA&M document should contain information\non the system, the identified vulnerability, severity and risk level of the\nvulnerability, applicable control family based on NIST SP 800-53, recommended\nremediation and timeline, and responsible party or organization for mitigating the\nweakness or vulnerability. NIST SP 800-53 includes the following specific\nguidance related to POA&Ms:\n\nControl\xe2\x80\x94Certification and Accreditation\n\n             \xe2\x80\xa2   CA-5 Plan of Action and Milestones\n\n                 The organization:\n\n             a. Develops a plan of action and milestones for the information\n                system to document the organization\xe2\x80\x99s planned remedial actions\n                to correct weaknesses or deficiencies noted during the\n                assessment of the security controls and to reduce or eliminate\n                known vulnerabilities in the system; and\n             b. Updates existing plan of action and milestones [Assignment:\n                organization-defined frequency] based on the findings from\n\n\n\n2011 Annual FISMA Executive Summary Report                                              February 2, 2012\nReport No. 501\n                                         Page 40\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                                             Appendix V\n\n\n             security controls assessments, security impact analyses, and\n             continuous monitoring activities. 78\n\nResponse. In response to question 5 on the OMB template, NIT determined,\nbased on interviews and reviews of documentation, that the SEC has established\nand is maintaining a POA&M management program that is generally consistent\nwith FISMA, OMB, and NIST requirements.\n\nIn response to 5.a(1), NIT found OIT has documented policies and procedures\nfor managing IT security weaknesses discovered during security control\nassessments and required remediation. OIT has developed IT Security\n                                               , which addresses POA&M\nmanagement and remediation. Although the policy indicates that it will be\nreviewed annually, 80 NIT found that it has not been reviewed since June 2005.\n\nIn response to questions 5.a(2) through 5.a(4), NIT confirmed that OIT is\neffectively tracking, prioritizing, and remediating weaknesses across the various\nsystems in accordance with the remediation dates specified in the POA&M\ndocumentation.\n\nIn response to questions 5.a(5) and 5.a(6), NIT found that OIT has provided the\nappropriate resources for correcting the weaknesses and that the progress of the\nremediation is reported to the appropriate SEC officials on a regular basis.\n\nTable 6 contains OIG\xe2\x80\x99s response to question 5, as provided by NIT.\n\n\n\n\n78\n   NIST SP 800-53, Rev. 3, pp. F-35, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n79\n   IT Security                                                                available in the OIT Policy\nLibrary,\n80\n   IT Security\n2011 Annual FISMA Executive Summary Report                                                    February 2, 2012\nReport No. 501\n                                         Page 41\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                                   Appendix V\n\n\nTable 6: OIG Response to Question 5 From OMB Questionnaire\n       ID                 Questions from OMB Questionnaire                      Response\n\n 5.a           The Agency has established and is maintaining a POA&M              Yes\n               program that is consistent with FISMA requirements, OMB\n               policy, and applicable NIST guidelines and tracks and\n               monitors known information security weaknesses. Although\n               improvement opportunities may have been identified by the\n               OIG, the program includes the following attributes:\n 5.a(1)        Documented policies and procedures for managing IT                 No\n               security weaknesses discovered during security control\n               assessments and requiring remediation.\n 5.a(2)        Tracks, prioritizes and remediates weaknesses.                     Yes\n 5.a(3)        Ensures remediation plans are effective for correcting             Yes\n               weaknesses.\n 5.a(4)        Establishes and adheres to milestone remediation dates.            Yes\n 5.a(5)        Ensures resources are provided for correcting weaknesses.          Yes\n 5.a(6)        Program officials and contractors report progress on               Yes\n               remediation to CIO on a regular basis, at least quarterly, and\n               the CIO centrally tracks, maintains, and independently\n               reviews/validates the POA&M activities at least quarterly.\nSource: OMB FISMA Web Portal.\n\n\nSection 6: Status of Remote Access Management\nRemote access is the ability to access a computer or a network from a remote\nlocation. Most commonly this type of access is used by telecommuters working\nfrom home, personnel on travel, consultants and contractors, and others who are\nnot permanently based at a facility. NIST SP 800-53 includes the following\nguidance pertaining to remote access:\n\nControl\xe2\x80\x94Access Control\n\n   \xe2\x80\xa2        AC-17 Remote Access\n\n   The organization:\n\n   a. Documents allowed methods of remote access to the information\n      system;\n   b. Establishes usage restrictions and implementation guidance for\n      each allowed remote access method;\n   c. Monitors for unauthorized remote access to the information system;\n   d. Authorizes remote access to the information system prior to\n      connection; and\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                         February 2, 2012\nReport No. 501\n                                       Page 42\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                              Appendix V\n\n\n     e. Enforces requirements for remote connections to the information\n        system. 81\n\nRemote access is any access to an organization\xe2\x80\x99s information system by a user\ncommunicating through an external network (e.g., the Internet). Remote access\nrequires strong authentication for security purposes and therefore should require\nmulti-factor authentication. Multi-factor identification consists of a combination of\na password, passcode from a secure token, a user name, and personal\nidentification number (PIN) to establish connection to the network, followed by\nthe user\xe2\x80\x99s account domain user name and password to access applications or\nworkstations.\n\nResponse. In response to question 6 on the OMB template, NIT determined,\nbased on interviews and reviews of documentation, that the SEC has established\nand is maintaining a remote access management program that is generally\nconsistent with FISMA, OMB, and NIST requirements.\n\nIn response to question 6.a(1), NIT found that OIT has documented policies and\nprocedures for authorizing, monitoring, and controlling the following methods of\nremote access:\n\n            OIT has developed policies and procedures that address remote\naccess. However, three of the policies have not been reviewed or updated since\n2002, one has not been reviewed or updated since 2005, and one has not been\nreviewed or updated since 2006. Therefore, NIT determined that the documents\nare not in full compliance with NIST guidelines.\n\nIn response to questions 6.a(2) and 6.a(3), NIT found that the Commission\xe2\x80\x99s\nremote access infrastructure is located in a secure demilitarized zone 86 and that\nall users must first be authenticated for remote access.\n\nIn response to questions 6.a(4) through 6.a(6), NIT found that a new user must\nhave an OIT network account and an RSA token to use the Commission\xe2\x80\x99s\nremote access, both which must be authorized by the appropriate OIT manager\nfor employees or by the Contracting Officer\xe2\x80\x99s Technical Representative for\ncontractors. The methods used for remote access meet the encryption\n\n\n\n81\n   NIST SP 800-53, Rev. 3, p. F-14, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n82\n   A                              client is              the               which is a             that\n                                                   such as\n         allows users to                                   from                                .\n84\n          provides users device              for\n85\n                                 s the                 used by the SEC.          allows\n\n  A demilitarized zone is firewall configuration that adds an extra layer of security for information systems.\n2011 Annual FISMA Executive Summary Report                                                      February 2, 2012\nReport No. 501\n                                         Page 43\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\nrequirements specified in NIST SP 800-63, version 1.0.2, Electronic\nAuthentication Guide 87 and are properly implemented.\n\nShown below, Table 7 contains OIG\xe2\x80\x99s response to question 6, as provided by\nNIT.\n\n     Table 7: OIG Response to Question 6 From OMB Questionnaire\n           ID                   Questions from OMB Questionnaire                        Response\n\n     6.a            The Agency has established and is maintaining a remote                Yes\n                    access program that is consistent with FISMA requirements,\n                    OMB policy, and applicable NIST guidelines. Although\n                    improvement opportunities may have been identified by the\n                    OIG, the program includes the following attributes:\n\n     6.a(1)         Documented policies and procedures for authorizing,                   No\n                    monitoring, and controlling all methods of remote access.\n     6.a(2)         Protects against unauthorized connections or subversion of            Yes\n                    authorized connections.\n     6.a(3)         Users are uniquely identified and authenticated for all access.       Yes\n     6.a(4)         If applicable, multi-factor authentication is required for remote     Yes\n                    access.\n     6.a(5)         Authentication mechanisms meet NIST Special Publication               Yes\n                    800-63 guidance on remote electronic authentication,\n                    including strength mechanisms.\n     6.a(6)         Defines and implements encryption requirements for                    Yes\n                    information transmitted across public networks.\n     6.a(7)         Remote access sessions, in accordance to OMB M-07-16,                 Yes\n                    are timed-out after 30 minutes of inactivity after which re-\n                    authentication are required.\n Source: OMB FISMA Web Portal.\n\n\nSection 7: Status of Identity and Access\nManagement\nBackground. Identity and access management refers to how personnel are\nidentified and authorized across computer networks (logical access) and facilities\n(physical access). It covers issues such as how users are given an identity, the\nprotection of that identity, and the technologies supporting that protection (e.g.,\nnetwork protocols, digital certificates, passwords). NIST SP 800-53 lists the\nfollowing controls pertaining to identity and access management:\n\nControl\xe2\x80\x94Identification and Authentication\n\n      \xe2\x80\xa2         IA-2 Identification and Authentication (Organizational Users) 88\n87\n  NIST SP 800-63, version 1.0.2, Electronic Authentication Guide (Apr. 2006).\n88\n  NIST SP 800-53, Rev. 3, pp. F-54\xe2\x80\x93F-55, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                February 2, 2012\nReport No. 501\n                                            Page 44\n                                    REDACTED PUBLIC VERSION\n\x0c                                                                                              Appendix V\n\n\nControl\xe2\x80\x94Access Management\n\n     \xe2\x80\xa2   AC-2 Account Management\n     \xe2\x80\xa2   AC-3 Access Enforcement\n     \xe2\x80\xa2   AC-5 Separation of Duties 89\n\nID badges and cardkeys are most commonly used for physical access, although\nbiometrics may also be used. 90 Badges generally have a photograph of an\nindividual and his or her location of employment, as well as an assigned serial\nnumber that is entered into the access system with the name of the assignee.\nThe badge is scanned into a reader that authorizes and records the person\xe2\x80\x99s\nentry, and sometimes exit, into a facility. The access badges can also be\nprogrammed based on the individuals job function. For example, access to a\ndata center or secure operations center would be granted only to individuals who\nwork in that area.\n\nFor logical access, users are given a unique identifier, usually their first initial and\nlast name, that they will use to access computers, networks, and applications\nappropriate to their role in the organization. For both logical and physical access,\norganizations develop their own processes and procedures to communicate to\nsecurity and network operations the level of access an individual requires. This\ncommunication is usually handled through an electronic request or a form\ngenerated by the individual\xe2\x80\x99s supervisor.\n\nIn August 2004, HSPD-12 was published to establish consistent identity and\naccess controls throughout the federal government. This directive was a result of\ninconsistent identity management throughout federal agencies and the need to\nprovide secure and reliable forms of identification for physical and logical\naccess. 91\n\nResponse. In response to question 7 on the OMB template, NIT found, based\non interviews and reviews of documentation, that the SEC has established and is\nmaintaining an identity and access management program that is generally\nconsistent with FISMA requirements, OMB policy, and applicable NIST\nguidelines and that identifies users and network devices. NIT found that OIT has\ndeveloped policies and procedures that address account and identity\nmanagement.\n\n\n\n89\n   NIST SP 800-53, Rev. 3, pp. F-3\xe2\x80\x93F-9, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n90\n   A \xe2\x80\x9cbiometric\xe2\x80\x9d is defined as \xe2\x80\x9c[a] measurable, physical characteristic or personal behavioral trait used to\nrecognize the identity, or verify the claimed identity, of an Applicant. Facial images, fingerprints, and iris\nscan samples are all examples of biometrics.\xe2\x80\x9d FIPS 201-1, p. 70,\nhttp://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\n91\n   HSPD-12, para. 3, http://www.dhs.gov/xabout/laws/gc_1217616624097.shtm#1.\n2011 Annual FISMA Executive Summary Report                                                      February 2, 2012\nReport No. 501\n                                         Page 45\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                                 Appendix V\n\n\nIn response to question 7.a(1), NIT found that OIT has developed policies and\nprocedures that address account and identity management.\n                                                                       is currently\nin draft form.                                was last updated on April 6, 2006.\n                                                 , has not been updated since July\n9, 2008. Each of these policies indicates that it will be reviewed annually.\n\nIn response to question 7.a(2), NIT found that OIT was able to provide the\nrequested list of all users, including federal employees, contractors, and others\nwho access agency systems.\n\nIn response to questions 7.a(3) and 7.a(4), NIT found that the SEC does not use\nmulti-factor authentication linked to the PIV card to access information systems,\nas required by HSPD-12 and in accordance with NIST recommendations. The\nPIV card is used only for physical access and is not used to access SEC\nsystems.\n\nIn response to questions 7.a(5) and 7.a(6), NIT found that separation of duties is\nsufficiently enforced. NIT also concluded that OIT keeps a record of its asset\ninventory, including printers, desktops, laptops, and mobile devices.\n\nIn response to questions 7.a(7) and 7.a(8), NIT found that accounts are\nterminated or deactivated once access is no longer required. No shared\naccounts are used at the Commission.\n\nTable 8 contains OIG\xe2\x80\x99s response to question 7, as provided by NIT.\n\nTable 8: OIG Response to Question 7 From OMB Questionnaire\n       ID               Questions from OMB Questionnaire                      Response\n\n 7.a        The Agency has established and is maintaining an identity           Yes\n            and access management program that is consistent with\n            FISMA requirements, OMB policy, and applicable NIST\n            guidelines and identifies users and network devices.\n            Although improvement opportunities may have been\n            identified by the OIG, the program includes the following\n            attributes:\n 7.a(1)     Documented policies and procedures for account and identity         No\n            management.\n 7.a(2)     Identifies all users, including federal employees, contractors,     Yes\n            and others who access Agency systems.\n 7.a(3)     Identifies when special access requirements (e.g., multi-           No\n            factor authentication) are necessary.\n 7.a(4)     If multi-factor authentication is in use, it is linked to the       No\n            Agency\'s PIV program where appropriate.\n 7.a(5)     Ensures that the users are granted access based on needs            Yes\n            and separation of duties principles.\n 7.a(6)     Identifies devices that are attached to the network and             Yes\n\n2011 Annual FISMA Executive Summary Report                                      February 2, 2012\nReport No. 501\n                                    Page 46\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                          Appendix V\n\n     ID                    Questions from OMB Questionnaire                          Response\n\n              distinguishes these devices from users.\n 7.a(7)       Ensures that accounts are terminated or deactivated once                   Yes\n              access is no longer required.\n 7.a(8)       Identifies and controls use of shared accounts.                            Yes\nSource: OMB FISMA Web Portal.\n\n\nSection 8: Status of Continuous Monitoring\nManagement\nBackground. Continuous monitoring is the process of tracking the security state\nof an information system on an ongoing basis and maintaining the security\nauthorization for the system over time. Understanding the security state of\ninformation systems is essential in highly dynamic environments of operation with\nchanging threats, vulnerabilities, technologies, and mission and business\nprocesses. Network vulnerability assessments, intrusion detection systems\n(IDS), intrusion prevention systems (IPS), and C&A are all components of\ncontinuous monitoring programs. NIST SP 800-53 provides guidance on\ncontinuous monitoring includes the following:\n\n     \xe2\x80\xa2    CA-7\xe2\x80\x94Continuous Monitoring\n\n     The organization establishes a continuous monitoring strategy and\n     implements a continuous monitoring program that includes:\n\n     a. A configuration management process for the information system\n        and its constituent components;\n     b. A determination of the security impact of changes to the information\n        system and environment of operation;\n     c. Ongoing security control assessments in accordance with the\n        organizational continuous monitoring strategy; and\n     d. Reporting the security state of the information system to\n        appropriate organizational officials [Assignment: organization-\n        defined frequency]. 92\n\nSuccessful network monitoring and incident handling includes the following key\ncomponents: assisting in rapid breach response; conducting a thorough\ninvestigation of the system; containing the damage; gathering and analyzing\nevidence; improving system practices, plans, and procedures; providing expert\nreports and testimony, if necessary; and minimizing the loss of revenue.\nContinuous monitoring ensures that all security-related incidents are handled in a\ntimely manner.\n92\n  NIST SP 800-53, Rev. 3, pp. F-36 - F-37 http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                 February 2, 2012\nReport No. 501\n                                        Page 47\n                                REDACTED PUBLIC VERSION\n\x0c                                                                                 Appendix V\n\n\nResponse. In response to question 8 on the OMB template, based on interviews\nand reviews of documentation, the SEC has established and is maintaining an\nenterprise-wide continuous monitoring program that assesses the security state\nof information systems that is generally consistent with FISMA requirements,\nOMB policy, and applicable NIST guidelines.\n\nConcerning question 8.a(1), the OIT has a template for preparing continuous\nmonitoring reports, but has not developed policy or procedures to address\ncontinuous monitoring.\n\nIn response to question 8.a(2), NIT found that a template for preparing\ncontinuous monitoring reports has been developed.\n\nConcerning question 8.a(3), NIT found that there is an approved continuous\nmonitoring plan, and the provided continuous monitoring reports are constructed\nbased on the approved continuous monitoring plan.\n\nIn response to question 8.a(4), NIT found that the continuous monitoring plan\nincludes a defined frequency for OIT to provide authorizing officials and other key\nsystem officials with security status reports covering updates to security plans\nand security assessment reports, as well as POA&M additions and updates, and\nthat OIT provides the reports with the frequency specified. NIT reviewed a\nGeneral Support System continuous monitoring overview report and found that it\ncovers updates to the SSPs and POA&Ms. Table 9 contains OIG\xe2\x80\x99s response to\nquestion 8, as provided by NIT.\n\nTable 9: OIG Response to Question 8 From OMB Questionnaire\n       ID               Questions from OMB Questionnaire                      Response\n\n 8.a        The Agency has established an enterprise-wide continuous             Yes\n            monitoring program that assesses the security state of\n            information systems that is consistent with FISMA\n            requirements, OMB policy, and applicable NIST guidelines.\n            Although improvement opportunities may have been\n            identified by the OIG, the program includes the following\n            attributes:\n 8.a(1)     Documented policies and procedures for continuous                   No\n            monitoring.\n 8.a(2)     Documented strategy and plans for continuous monitoring.            Yes\n 8.a(3)     Ongoing assessments of security controls (system-specific,          Yes\n            hybrid, and common) that have been performed based on the\n            approved continuous monitoring plans.\n 8.a(4)     Provides authorizing officials and other key system officials       Yes\n            with security status reports covering updates to security plans\n            and security assessment reports, as well as POA&M\n            additions and updates with the frequency defined in the\n            strategy and/or plans.\nSource: OMB FISMA Web Portal.\n\n2011 Annual FISMA Executive Summary Report                                      February 2, 2012\nReport No. 501\n                                    Page 48\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                            Appendix V\n\n\nSection 9: Status of Contingency Planning\nBackground. Contingency planning refers to development of processes,\npolicies, and procedures for reestablishing operations for an enterprise after a\nman-made or natural disaster. Examples of issues addressed in contingency\nplanning are reactivation of systems, communication to personnel, alternate work\nlocation for personnel, roles and responsibilities, and utilities\n(telecommunications, power, water). NIST SP 800-53 lists the following controls\npertaining to contingency planning:\n\n         \xe2\x80\xa2        CP-1 Contingency Planning Policy and Procedures\n         \xe2\x80\xa2        CP-2 Contingency Plan\n         \xe2\x80\xa2        CP-3 Contingency Training\n         \xe2\x80\xa2        CP-4 Contingency Plan Testing and Exercises\n         \xe2\x80\xa2        CP-6 Alternate Storage Site\n         \xe2\x80\xa2        CP-7 Alternate Processing Site\n         \xe2\x80\xa2        CP-8 Telecommunications Services\n         \xe2\x80\xa2        CP-9 Information System Backup\n         \xe2\x80\xa2        CP-10 Information System Recovery and Reconstitution 93\n\nContingency planning focuses on recovery strategies that provide a means to\nrestore operations quickly and effectively following a service disruption, as well\nas the strategies to address disruption impacts and allowable outage times.\n\nResponse. In response to question 9 on the OMB template, NIT found, based\non interviews and reviews of documentation, that the SEC has established and is\nmaintaining an enterprise-wide business continuity/disaster recovery program\nthat is generally consistent with FISMA requirements, OMB policy, and applicable\nNIST guidelines.\n\nIn response to question 9.a(1), NIT determined that OIT has documented\nbusiness continuity and disaster recovery policies and procedures. However, the\npolicies have not been updated since 2002, and the procedures have not been\nupdated since 2003.                                                     , was\nlast updated on August 6, 2002, and\n                 was last updated on February 4, 2003.\n\nIn response to question 9.a(2), NIT found that a business impact analysis (BIA\nhas been executed for all major applications at the SEC. 94\n\n93\n   NIST SP 800-53, Rev. 3, pp. F-47 - F-53, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-\nrev3-final_updated-errata_05-01-2010.pdf.\n94\n   The purpose of the BIA is to help \xe2\x80\x9cidentify and prioritize information systems and components critical to\nsupporting the organization\xe2\x80\x99s mission/business processes.\xe2\x80\x9d NIST SP 800-34, Rev. 1, p. ES-1,\nhttp://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                   February 2, 2012\nReport No. 501\n                                        Page 49\n                                REDACTED PUBLIC VERSION\n\x0c                                                                              Appendix V\n\n\nIn response to questions 9.a(3) and 9.a(4), NIT reviewed disaster recovery plans\nacross all the systems being evaluated and determined that those plans, along\nwith the documented recovery exercises, demonstrate the documentation of\ndivision, component, and IT infrastructure recovery strategies, plans, and\nprocedures. Further, NIT found that OIT performs annual contingency plan\ntesting at the OIT level for major applications.\n\nIn response to question 9.a(5), NIT reviewed the disaster recovery plans across\nmultiple systems at the SEC and determined that disaster recovery plans are in\nplace and can be implemented when necessary.\n\nIn response to questions 9.a(6) and 9.a(7), NIT determined, after reviewing test,\ntraining, and exercise documentation, that the development of test, training, and\nexercise programs happens in the weeks prior to the exercise\xe2\x80\x99s execution date.\nNIT determined that annual exercises to determine the effectiveness of and to\nmaintain current business continuity/disaster recovery plans are performed.\n\nTable 10 contains OIG\xe2\x80\x99s response to question 9, as provided by NIT.\n\nTable 10: OIG Response to Question 9 From OMB Questionnaire\n       ID               Questions from OMB Questionnaire                   Response\n\n 9.a        The Agency established and is maintaining an enterprise-         Yes\n            wide business continuity/disaster recovery program that is\n            consistent with FISMA requirements, OMB policy, and\n            applicable NIST guidelines. Although improvement\n            opportunities may have been identified by the OIG, the\n            program includes the following attributes:\n 9.a(1)     Documented business continuity and disaster recovery policy      No\n            providing the authority and guidance necessary to reduce the\n            impact of a disruptive event or disaster.\n 9.a(2)     The agency has performed an overall Business Impact              Yes\n            Analysis (BIA).\n 9.a(3)     Development and documentation of division, component, and        Yes\n            IT infrastructure recovery strategies, plans and procedures.\n 9.a(4)     Testing of system specific contingency plans.                    Yes\n 9.a(5)     The documented business continuity and disaster recovery         Yes\n            plans are in place and can be implemented when necessary.\n 9.a(6)     Development of test, training, and exercise (TT&E) programs.     Yes\n 9.a(7)     Performance of regular ongoing testing or exercising of          Yes\n            business continuity/disaster recovery plans to determine\n            effectiveness and to maintain current plans.\nSource: OMB FISMA Web Portal.\n\n\nSection 10: Status of Contractor Systems\nBackground. Outside contractors play an integral role in federal government\noperations. Their services range from staff augmentation to technology system\n2011 Annual FISMA Executive Summary Report                                   February 2, 2012\nReport No. 501\n                                    Page 50\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\n\ndevelopment, operation, and maintenance. Contractors are subject to the same\nrules of conduct as employees of the organization they are brought in to support\nand therefore must adhere to all of the organization\xe2\x80\x99s policies and procedures.\nContractor systems deployed in the federal government are subject to a full C&A\nprior to implementation and are also governed by policies and procedures of the\nagency for compliance with NIST, FISMA, and OMB guidance. NIST SP 800-53\nprovides the following guidance pertaining to contractor systems:\n\n     \xe2\x80\xa2   CA-3 Information System Connections\n\n     The organization:\n\n         a. Authorizes connections from the information system to other\n            information systems outside of the authorization boundary\n            through the use of Interconnection Security Agreements;\n         b. Documents, for each connection, the interface characteristics,\n            security requirements, and the nature of the information\n            communicated; and\n         c. Monitors the information system connections on an ongoing\n            basis verifying enforcement of security requirements. 95\n\nResponse. In response to question 10 on the OMB template, NIT found, based\non interviews and reviews of documentation, that the SEC has established and is\ngenerally maintaining a program to oversee systems operated on its behalf by\ncontractors or other entities, including SEC systems and services residing in the\npublic cloud.\n\nIn response to question 10.a(1), NIT found that OIT does not have documented\npolicies and procedures to address security oversight of systems operated on the\nSEC\'s behalf by contractors or other entities.\n\nIn response to question 10.a(2), NIT found that the SEC does consistently assure\nthat security controls of contractor systems are effectively implemented and\ncomply with federal and SEC guidelines.\n\nIn response to question 10.a(3), NIT found that OIT has a complete inventory of\nsystems operated on the SEC\'s behalf by contractors or other entities, including\nSEC systems and services residing in the public cloud.\n\nIn response to questions 10.a(4) and 10.a(5), NIT found, after reviewing the risk\nassessment documents, that the SEC identifies the interface between\ncontractor/external systems and SEC-operated systems. In addition, NIT found\n\n\n95\n   NIST SP 800-53, Rev. 3, p. F-34, http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-\nfinal_updated-errata_05-01-2010.pdf.\n2011 Annual FISMA Executive Summary Report                                                  February 2, 2012\nReport No. 501\n                                        Page 51\n                                REDACTED PUBLIC VERSION\n\x0c                                                                           Appendix V\n\n\nthat OIT has the appropriate agreements in place for systems that maintain a\npersistent connection to the SEC.\n\nIn response to questions 10.a(6) and 10.a(7), NIT found that the inventory of\ncontractor systems is updated at least annually. NIT also determined that\nsystems that are owned or operated by contractors or entities, including SEC\nsystems and services residing in the public cloud, are compliant with FISMA\nrequirements, OMB policy, and applicable NIST guidelines.\n\nTable 11 contains OIG\xe2\x80\x99s response to question 10, as provided by NIT.\n\n  Table 11: OIG Response to Question 10 From OMB Questionnaire\n     ID              Questions from OMB Questionnaire                  Response\n\n   10.a      The Agency has established and maintains a program          Yes\n             to oversee systems operated on its behalf by\n             contractors or other entities, including Agency systems\n             and services residing in the cloud external to the\n             Agency. Although improvement opportunities may\n             have been identified by the OIG, the program includes\n             the following attributes:\n   10.a(1)   Documented policies and procedures for information          No\n             security oversight of systems operated on the\n             Agency\'s behalf by contractors or other entities,\n             including Agency systems and services residing in\n             public cloud.\n   10.a(2)   The Agency obtains sufficient assurance that security       Yes\n             controls of such systems and services are effectively\n             implemented and comply with federal and agency\n             guidelines.\n   10.a(3)   A complete inventory of systems operated on the             Yes\n             Agency\'s behalf by contractors or other entities,\n             including Agency systems and services residing in\n             public cloud.\n   10.a(4)   The inventory identifies interfaces between these           Yes\n             systems and Agency-operated systems.\n   10.a(5)   The agency requires appropriate agreements (e.g.,           Yes\n             MOUs, Interconnection Security Agreements,\n             contracts, etc.) for interfaces between these systems\n             and those that it owns and operates.\n   10.a(6)   The inventory of contractor systems is updated at least     Yes\n             annually.\n  Source: OMB FISMA Web Portal.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                February 2, 2012\nReport No. 501\n                                    Page 52\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                          Appendix V\n\n\nSection 11: Status of Security Capital Planning\nBackground. Security capital planning is the process of applying funding toward\nhigh-priority security investments to support the objective of implementing and\nmaintaining appropriate security controls for information systems. It provides a\nsystematic approach to selecting, managing, and evaluating IT security\ninvestments.\n\nImplementation of IT security within the federal government is guided by a\ncombination of legislation, rules and regulations, and agency-specific policies.\nSpecifically, FISMA requires agencies to integrate IT security into their capital\nplanning and enterprise architecture processes, conduct annual IT security\nreviews of all programs and systems, and report the results of those reviews to\nOMB. NIST SP 800-65, Integrating IT Security into the Capital Planning and\nInvestment Control Process, outlines the security capital planning initiatives for\nfederal agencies. 96\n\nUnder FISMA, an organization is responsible for establishing and maintaining a\nsecurity capital planning and investment program for information security.\nDocumentation for the program must include policies and procedures relative to\nsecurity capital planning and address the information security requirements as\npart of the capital planning and investment process. An organization\xe2\x80\x99s budget\nmust contain a discrete line item for information security in organizational\nprogramming and documentation. When required, a business case/Exhibit\n300/Exhibit 53 must be submitted to record the information security resources\nrequired, and planned resources must be available for expenditure. 97\n\nResponse. In response to question 11 on the OMB template, based on\ninterviews and reviews of documentation, NIT found that the SEC has\nestablished and is maintaining a security capital planning program for information\nsecurity.\n\nIn response to questions 11.a(1) and 11.a(2), NIT determined that the SEC has\ndocumented policies and procedures to address information security in the\ncapital planning and investment control process. NIT found that OIT includes\ninformation security requirements as part of the capital planning and investment\nprocess.\n\n\n\n\n96\n   NIST SP 800-65, Integrating IT Security Into the Capital Planning and Investment Control Process\n(January 2005), http://csrc.nist.gov/publications/nistpubs/800-65/SP-800-65-Final.pdf.\n97\n   The Exhibit 300 reflects an investment\xe2\x80\x99s plan for capital asset management. The Exhibit 53 includes a\nrollup of all Exhibit 300s and additional IT expenses from across the agency. NIST SP 800-65, p. 7,\nhttp://csrc.nist.gov/publications/nistpubs/800-65/SP-800-65-Final.pdf.\n2011 Annual FISMA Executive Summary Report                                                 February 2, 2012\nReport No. 501\n                                        Page 53\n                                REDACTED PUBLIC VERSION\n\x0c                                                                          Appendix V\n\n\nIn response to question 11.a(3), NIT found, after reviewing the appropriate\ndocumentation, that OIT establishes a discrete line item for information security\nin organizational programming and documentation.\n\nIn response to question 11.a(4), NIT found that OIT employs a business case to\nrecord the information security resources required and has submitted the\nrequired Exhibit 300 and Exhibit 53 to OMB.\n\nIn response to question 11.a(5), NIT found that security resources are available\nfor expenditure as planned.\n\nTable 12 contains OIG\xe2\x80\x99s response to question 11, as provided by NIT.\n\nTable 12: OIG Response to Question 11 From OMB Questionnaire\n  ID        Questions from OMB Questionnaire                            Response\n\n  11.a      The Agency has established and maintains a security           Yes\n            capital planning and investment program for information\n            security. Although improvement opportunities may\n            have been identified by the OIG, the program includes\n            the following attributes:\n  11.a(1)   Documented policies and procedures to address                 Yes\n            information security in the capital planning and\n            investment control process.\n  11.a(2)   Includes information security requirements as part of         Yes\n            the capital planning and investment process.\n  11.a(3)   Establishes a discrete line item for information security     Yes\n            in organizational programming and documentation.\n  11.a(4)   Employs a business case/Exhibit 300/Exhibit 53 to             Yes\n            record the information security resources required.\n  11.a(5)   Ensures that information security resources are               Yes\n            available for expenditure as planned.\nSource: OMB FISMA Web Portal.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                February 2, 2012\nReport No. 501\n                                    Page 54\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                   Appendix VI\n\n\nOIT Policies and Procedures Past Due for Updates\nTable 13: OIT Policies and Procedures and Date of Last Update\n                                                      Date                      Where        Number\n      FISMA                                                      Defined\n                Name of Policy   Policy Number        Last                    Frequency      of Years\n     Controls                                                   Frequency\n                                                    Updated                    Specified     Outdated\n                                                    12/22/05      Annual      Specified in       5\n                                                                              policy or\n                                                                              procedure\n                                                    3/13/07       Annual      Specified in       3\n                                                                              policy or\n                                                                              procedure\n                                                    1/3/06        Annual      Specified in       4\n                                                                              policy or\n                                                                              procedure\n\n                                                    12/30/05      Annual      Specified in       5\n                                                                              policy or\n                                                                              procedure\n                                                    4/24/06       Annual      Specified in       4\n                                                                              policy or\n                                                                              procedure\n\n                                                    4/17/06       Annual      Specified in       4\n                                                                              policy or\n                                                                              procedure\n\n                                                    1/11/06       Annual      Specified in       4\n                                                                              policy or\n                                                                              procedure\n\n                                                    12/30/05      Annual      Specified in       5\n                                                                              policy\n\n                                                    4/17/06       Annual      Specified in       4\n                                                                              policy or\n                                                                              procedure\n\n                                                    4/17/06       Annual      Specified in       4\n                                                                              policy or\n                                                                              procedure\n                                                    4/17/06       Annual      Specified in       4\n                                                                              policy or\n                                                                              procedure\n\n                                                    12/30/05      Annual      Specified in       5\n                                                                              policy or\n                                                                              procedure\n\n\n                                                    12/28/05      Annual      Specified in       5\n                                                                              policy or\n                                                                              procedure\n\n\n\n\n98\n  The site was accessed for the              policy on August 15, 2011.\n99\n  The site was accessed for the                        policies on September 14, 2011.\n2011 Annual FISMA Executive Summary Report                                          February 2, 2012\nReport No. 501\n                                     Page 55\n                             REDACTED PUBLIC VERSION\n\x0c                                                                              Appendix VI\n\n                                                    Date                     Where       Number\n   FISMA                                                       Defined\n               Name of Policy    Policy Number      Last                  Frequency      of Years\n  Controls                                                    Frequency\n                                                  Updated                  Specified     Outdated\n                                                  12/29/05     Annual     Specified in       5\n                                                                          policy or\n                                                                          procedure\n                                                  1/11/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  1/11/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  12/30/05     3 years    IT Security       3\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  12/30/05     3 years    IT Security       3\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  12/ 30/05    3 years    IT Security       3\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  1/ 3/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  1/ 3/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  12/30/05     3 years    IT Security       3\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  4/17/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  1/11/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n                                                  1/11/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n\n                                             05   1/11/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n\n                                                  1/11/06      3 years    IT Security       2\n                                                                          Compliance\n                                                                          Program\n                                                                          Policy\n2011 Annual FISMA Executive Summary Report                                     February 2, 2012\nReport No. 501\n                                    Page 56\n                            REDACTED PUBLIC VERSION\n\x0c                                                                                    Appendix VI\n\n                                                        Date                      Where        Number\n       FISMA                                                       Defined\n                 Name of Policy    Policy Number        Last                    Frequency      of Years\n      Controls                                                    Frequency\n                                                       Updated                   Specified     Outdated\n\n                                                      12/30/05      3 years     IT Security       3\n                                                                                Compliance\n                                                                                Program\n                                                                                Policy\n                                                      12/30/05      3 years     IT Security       3\n                                                                                Compliance\n                                                                                Program\n                                                                                Policy\n                                                      12/30/05      3 years     IT Security       3\n                                                                                Compliance\n                                                                                Program\n                                                                                Policy\n                                                      4/17/06       3 years     IT Security       2\n                                                                                Compliance\n                                                                                Program\n                                                                                Policy\n                                                      8/9/07        Annual      Specified in      3\n                                                                                policy or\n                                                                                procedure\n\n\n\n                                                      3/6/07        3 years     IT Security       1\n                                                                                Compliance\n                                                                                Program\n                                                                                Policy\n                                                      12/29/05      Annual      Specified in      3\n                                                                                policy or\n                                                                                procedure\n\n                                                      6/29/05       Annual      Specified in      3\n                                                                                policy or\n                                                                                procedure\n                                                      8/20/02       3 years     IT Security       6\n                                                                                Compliance\n                                                                                Program\n                                                                                Policy\n                                                      4/16/02       3 years     IT Security       6\n                                                                                Compliance\n                                                                                Program\n                                                                                Policy\n                                                      4/16/02       Annual      Specified in      8\n                                                                                policy or\n                                                                                procedure\n                                                      8/10/06       Annual      Specified in      4\n                                                                                policy or\n                                                                                procedure\n                                                      12/30/05      Annual      Specified in      5\n                                                                                policy or\n                                                                                procedure\n\n\n100\n    The site was accessed for the              and reporting policies on September 13, 2011.\n101\n    The site was accessed for the   training policy on September 13, 2011.\n102\n    The site was accessed for the           on August 15, 2011.\n103\n    The site was accessed for the           management policies on September 19, 2011.\n2011 Annual FISMA Executive Summary Report                                           February 2, 2012\nReport No. 501\n                                      Page 57\n                              REDACTED PUBLIC VERSION\n\x0c                                                                                Appendix VI\n\n                                                    Date                      Where       Number\n       FISMA                                                   Defined\n                 Name of Policy   Policy Number     Last                   Frequency      of Years\n      Controls                                                Frequency\n                                                  Updated                   Specified     Outdated\n                                                  12/30/05      3 years    IT Security        3\n                                                                           Compliance\n                                                                           Program\n                                                                           Policy\n                                                  7/9/08        Annual     Specified in      2\n                                                                           policy or\n                                                                           procedure\n                                                  4/ 6/06       Annual     Specified in      4\n                                                                           policy or\n                                                                           procedure\n                                                  8/6/02        Annual     Specified in      8\n                                                                           policy or\n                                                                           procedure\n                                                  2/4/03        Annual     Specified in      7\n                                                                           policy or\n                                                                           procedure\n\nSource: NIT Generated.\n\n\n\n\n104\n  The site was accessed for the               management policies on September 12, 2011.\n105\n  The site was accessed for the                policies on September 9, 2011.\n2011 Annual FISMA Executive Summary Report                                      February 2, 2012\nReport No. 501\n                                      Page 58\n                              REDACTED PUBLIC VERSION\n\x0c                                                                                        Appendix VII\n\n\n                             Management Comments\n\n                                          MEMORANDUM\n\n\n\n\n                                                                                 Oht\n                                                                                \xef\xbf\xbd\n TO:               Noelle Meloney Aotlng 1",,,,,otN Genecal. Office of In,,,,,otN Genecal\n\n\n FROM:             Thorn" A. Beyee. DlceotN. Offl" 0\' \'n\'o=oIlon Technology\n\n\n\n RE:               Office of Infom1ation Technology\'s Response to the Office of Inspector\n                     General\'s Draft Report, 2011 Annual FI$MA Executive Summary\n                   Report, Report No, 501\n\n\n DATE:             February 2, 2012\n\n\n This memorandum is in response to the Office of Inspector General\'s (OIG) Draft\n Report No. 501 entitled, 2011 Annual FISMA Executive Summary Report, Thank you for\n the opportunity to review and respond 10 this report.\n\n\n OIG Recommendation:\n\n\n Recommendation 1:\n\n\n The Office of Information Technology (OIT) should develop and implement a detailed\n plan to review and update 011 security policies and procedures and to create OIT\n security policies and procedures for areas that lack formal policy and procedures.\n\n\n OIT concurs with this recommendation. We are cu"ently revising all policies and will\n develop a plan to review and update on a regular basis.\n\n Recommendation 2:\n\n\n The Office of Information Technology should develop a comprehensive risk\n management strategy in accordance with National lnslitute of Standards and\n Technology. Guide for Applying the Risk Management Framework to Federal\n Infom1ation Systems: A Security Life Cycle Approach that will ensure management of\n system-related security risks is conSistent with the Commission\'s mission/business\n objectives and overall risk strategy.\n\n\n OIT concurs with this recommendation. OIT will develop an information system-related\n security   risk    management        program   consistent   with   NIST   SP800-37   and   the\n missionlbusiness n\'sk strategyestab/ished by senior Commission leadership.\n\n Recommendation 3:\n\n\n\n\n                                                   1\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                              February 2, 2012\nReport No. 501\n                                         Page 59\n                                 REDACTED PUBLIC VERSION\n\x0c                                                                                     Appendix VII\n\n\nThe Office of Information Technology (DIT) should update its risk management policy to\ninclude language regarding developing a comprehensive governance structure and\nensure management of system-related security risks i s consistent with the\nCommission\'s mission/business objectives and overall risk strategy.\n\n\nOIT concurs with this recommendation. OIT will update its risk management policy 10 be\nconsistent with N/ST SP800-37 and Ihe mission/bUsiness risk strategy established by\nsenior Commission leadership. While OIT Security already works with Divisions, Offices\nand Regional Offices on a business impact analysis, OIT Security will document risk,\nbeginning with the finalization of Nationa/lnstitute of Standards and Technology (NIST)\nSpecial Publication (SP) 800-30, Revision 1, Guide for Conducting Risk Assessments.\nAs of January 2, 2012, NlST anticipates finalization in June 2012.\n\nRecommendation 4:\n\n\nThe Office of Information Technology should devekJp and implement a formal risk\nmanagement procedure that identifies an acceptable process for evaluating system risk\nand is consistent with the Commission\'s missionfbusiness objectives and overall risk\nstrategy.\n\n\nOIT concurs with this recommendation. OIT will imp/ement an information system\xc2\xad\nrelaled security risk management procedure conSistent with NIST SP800-37 and the\nmissionlbusiness risk strategy established by senler Commission leadership. While OIT\nSecurity already works with Divisions, Offices and Regional Offices on a business\nimpact analysis, OIT Security. will document risk, beginning with Ihe finalization of\nNationa/lnstitute of Standards and Technology (NIST) Special Publication (SP) 800-30,\nReViSion 1, Guide for Conducting Risk Assessments. As of January 2, 2012, NIST\nanticipates finalization in JUTlfl 2012.\n\nRecommendation 5:\n\n                              l\nThe Office of Information Tec :lnology should develop and implement formal policy that\naddresses tailoring baseline secur ity controls sets.\n\n\nOIT concurs with this recommendation. OIT Security is working on a comprehensive\nupdate of its policies and procedures, including documentation to address tailoring\nbaseline security control sets.\n\nRecommendation 6:\n\n\nThe Office of Information Technology should determine whether it should perform the\ntailor ing process at the organization level for all informalion systems (either as the\nrequired tailored baseline or as Ihe starti ng point for system-specific tailoring), at the\n\n\n\n\n                                                2\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                            February 2, 2012\nReport No. 501\n                                       Page 60\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                  Appendix VII\n\n\n\n\n  individual information system tevel, or by using a combination of organization-level and\n  system-specific approaches.\n\n\n  OIT concurs with this recommendation. OIT Security is working on a comprehensive\n  update of its policies and procedures, including documentation to address tailoring\n  baseline security control sets.\n\n\n  Recommendation\xc2\xb77:\n\n  The Office of Information Technology should tailor a baseline security controls set (with\n  rationale) for applicable systems in accordance with the guidance in National Institute of\n  Standards and Technology, Guide for Applying the Risk Management Framework to\n  Federa l Information Systems: A Security Life Cye/e Approach, and National Institute of\n  Standards and Technology, Recommended Security Controls for Federal lnforma/ion\n  Systems and Organizations.\n\n\n  OIT concurs with this recommendation. OtT Security is working on a comprehensive\n  update of its policies and procedures, including documentation to address tailoring\n  baseline security control sets.\n\n  Recommendation 8:\n\n  The Office of Information Technology should review and update its configuration\n  management policy and ensure that it compHes with the Federal lnfonnation Security\n  Management Act requirements, the guidelines specified in National Institute of\n  Standards and TeChnology, Recommended Security Controls for Federal Information\n  Systems and Organizations, and its intemal requirements.\n\n\n  OIT concurs with this recommendation. OIT Security is working on a comprehensive\n  update of its policies and procedures, including documentation to address configuration\n  management.\n\n  Recommendation 9:\n\n  The Office of Information Technology should review and document its current standard\n  baseline configuration, including identification of approved deviations and exceptions to\n  the standard.\n\n\n  OIT concurs with this recommendation. OIT Security is working on a comprehensive\n  update of its policies and procedures, including identification of approved deviations and\n  exceptions to the standard.\n\n  Recommendation 10:\n\n\n\n\n                                               3\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                         February 2, 2012\nReport No. 501\n                                      Page 61\n                              REDACTED PUBLIC VERSION\n\x0c                                                                                      Appendix VII\n\n\n The Office of Information Technology should conduct compliance scans of its\n information technology devices, according to the organizationally defined frequency in\n the policy and procedures, to ensure that all devices are configured as required by the\n Office of Information Technology\'s configuration management policy and procedures.\n\n\n OIT concurs     with   this recommendation.     OIT Security is     working on     configuring\n automated devices to conduct compliance scans of information technology devices to\n ensure thai all are configured as required by OIT\'s configuration management policy\n and procedures.\n\n Recommendation 11:\n\n\n The Office of Information Technology should update its policy and include language\n indicating that deviations from baseline conflQurations that are identified and\n documented as a result of the configuration compliance scans are properly remediated\n in a timely manner.\n\n\n OIT concurs with this recommendation. OIT Security is working on comprehensive\n documentation of its standard baseline configuration including identification of approved\n deviations, exceptions to the standard and timely remediation of exceptions.\n\n Recommendation 12:\n\n\n The Office of Information Technology should provide a new date to the Office of\n Management and Budget for implementing the technical solution for linking mullifactor\n authentication to Personal Ide\'llity Verification cards for system authentication.\n\n\n OIT concurs with this recommendation. SEC OIT, as many other agencies, is working\n through technical challenges for successful implementation to be able to effectively\n provide remote access using PIV authentication to the user community. OIT will reach\n out to agencies that have successfully implemented multifactor authentication using the\n Personal Identity Verification (P)V) cards.\n\n Recommendation 13:\n\n\n The Office of Information Technology should complete its implementation of the\n technical solution for linking multi-factor authentication to Personal Identity Verification\n (PIV) cards for system authentication and require use of the PIV cards as a second\n authentication factor by December 2012.\n\n\n OIT concurs with this recommendation. OIT is working through technical challenges for\n successful implementation to be able to effectively provide remote access va\n                                                                            i PIV\n authentication to   the user community.       OIT will reach   out to agencies that have\n\n\n\n\n                                                4\n\n\n\n\n2011 Annual FISMA Executive Summary Report                                            February 2, 2012\nReport No. 501\n                                      Page 62\n                              REDACTED PUBLIC VERSION\n\x0c                                                      Appendix VII\n\n\n\n\n2011 Annual FISMA Executive Summary Report            February 2, 2012\nReport No. 501\n                                    Page 63\n                            REDACTED PUBLIC VERSION\n\x0c                                                                 Appendix VIII\n\n\n      OIG Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that OIT concurred with the report\xe2\x80\x99s 13 recommendations. We\nare also encouraged that OIT has indicated that they will initiate actions to\naddress the findings described in the report. We believe that OIT\xe2\x80\x99s proposed\nactions are responsive to the report\xe2\x80\x99s findings and recommendations and their\nimplementation of the recommendations will further aid in strengthening the\nSEC\xe2\x80\x99s information security program and its systems.\n\n\n\n\n2011 Annual FISMA Executive Summary Report                        February 2, 2012\nReport No. 501\n                                    Page 64\n                            REDACTED PUBLIC VERSION\n\x0c                     Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTelephone: 202-551-6061\nFax:       202-772-9265\nE-mail:    oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at the SEC,\n      contact the Office of Inspector General at\n\n      Telephone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'